Microsoft security researchers have disclosed a significant vulnerability in a third-party software development kit (SDK) that exposed millions of Android cryptocurrency wallet users to potential data theft and fraud. The flaws were discovered in the EngageLab Push SDK, a component used by over 10 major crypto wallet applications available on the Google Play Store.
The research, published by the Microsoft 365 Defender Research Team, details multiple security weaknesses in the SDK. The component collected and stored sensitive user and device data—including IMEI, MAC address, and location information—in an insecure location on the device's external storage. This made the data accessible to other applications with basic permissions.
Additionally, the researchers found a local SQL injection flaw. A malicious actor could have exploited it by sending a specially crafted push notification to inject commands and potentially extract or manipulate data stored by the SDK. The investigation also revealed that the SDK transmitted the collected data back to its servers over unencrypted HTTP. This practice left user data vulnerable to Man-in-the-Middle (MITM) attacks, where an attacker on the same network could intercept and read the information. Using a VPN can help protect against such threats by encrypting a device's internet traffic.
While the research found no direct evidence that the SDK collected crypto wallet private keys or seed phrases, the insecure handling of other sensitive data created a substantial attack surface that could be chained with other exploits to compromise user accounts and assets.
Microsoft reported the vulnerabilities to EngageLab in April 2023. The vendor acknowledged the issues and released a patched version of the SDK the following month. The public disclosure was withheld until February 2024 to allow app developers sufficient time to integrate the fix and for users to update their applications, mitigating the immediate risk.
