Microsoft finds vulnerability exposing millions of Android crypto wallet users

April 12, 20262 min read1 sources
Share:
Microsoft finds vulnerability exposing millions of Android crypto wallet users

Microsoft security researchers have disclosed a significant vulnerability in a third-party software development kit (SDK) that exposed millions of Android cryptocurrency wallet users to potential data theft and fraud. The flaws were discovered in the EngageLab Push SDK, a component used by over 10 major crypto wallet applications available on the Google Play Store.

The research, published by the Microsoft 365 Defender Research Team, details multiple security weaknesses in the SDK. The component collected and stored sensitive user and device data—including IMEI, MAC address, and location information—in an insecure location on the device's external storage. This made the data accessible to other applications with basic permissions.

Additionally, the researchers found a local SQL injection flaw. A malicious actor could have exploited it by sending a specially crafted push notification to inject commands and potentially extract or manipulate data stored by the SDK. The investigation also revealed that the SDK transmitted the collected data back to its servers over unencrypted HTTP. This practice left user data vulnerable to Man-in-the-Middle (MITM) attacks, where an attacker on the same network could intercept and read the information. Using a VPN can help protect against such threats by encrypting a device's internet traffic.

While the research found no direct evidence that the SDK collected crypto wallet private keys or seed phrases, the insecure handling of other sensitive data created a substantial attack surface that could be chained with other exploits to compromise user accounts and assets.

Microsoft reported the vulnerabilities to EngageLab in April 2023. The vendor acknowledged the issues and released a patched version of the SDK the following month. The public disclosure was withheld until February 2024 to allow app developers sufficient time to integrate the fix and for users to update their applications, mitigating the immediate risk.

Share:

// SOURCES

// RELATED

Meta settles bellwether lawsuit alleging addictive design harmed student mental health

Meta's confidential settlement with a Washington school district marks a pivotal moment in the massive litigation against social media's psychological

6 min readMay 24

Huawei zero-day attack behind last year’s crash of Luxembourg's entire telecoms network

A sophisticated zero-day attack on Huawei routers allegedly caused Luxembourg's 2023 national telecom outage, raising severe global security concerns.

6 min readMay 23

MiniPlasma Windows 0-day enables SYSTEM privilege escalation on fully patched systems

A newly disclosed 0-day flaw, MiniPlasma, allows attackers to gain full SYSTEM control on patched Windows systems, with a public PoC accelerating risk

6 min readMay 18

The ransomware dilemma: why more than half of security chiefs would pay the price

A new survey reveals 56% of CISOs would consider paying a ransom, highlighting the intense pressure to restore operations despite official guidance.

6 min readMay 16