A critical Android flaw that can leak wallet seed phrases and private keys has been patched — but millions of crypto users may still be exposed.
What happened
- Microsoft’s Defender Security Research Team first discovered the bug in April 2025. The vulnerability lived in the widely used EngageLab SDK, specifically version 4.5.4, which is embedded in thousands of Android apps.
- The bug allows “intent redirection”: a malicious app can send a crafted message to any app using the vulnerable SDK and trick that app into granting read/write access to its own data. In effect, Android’s app sandbox can be bypassed, letting an attacker access stored seed phrases, wallet addresses and other sensitive data.
- Microsoft says the issue affected more than 50 million apps across Android, about 30 million of which were crypto wallets. Crucially, no user interaction was required — simply having both the malicious app and a vulnerable app installed at the same time was enough.
Response and the patch
- After discovery, Microsoft engaged Google and the Android Security Team. EngageLab released a fixed SDK (version 5.2.1) and the patch has been available since May 2025.
- Google Play Protect and other vendor tools have been used to help users verify whether their wallet apps received the update. Apps installed outside the Play Store (APK side‑loads) are at higher risk because they skip Play Store security checks.
What crypto users should do now
- If you update apps regularly, your exposure is likely resolved. But anyone who hasn’t updated wallet apps since mid‑2025 should assume compromise.
- Security teams recommend treating any wallet that was active and unpatched during the exposure window as potentially compromised and moving funds to newly generated wallets with fresh seed phrases.
- Steps to take:
1. Check that wallet apps are updated to versions that include EngageLab SDK 5.2.1 or later (use Google Play Protect or the app vendor’s guidance).
2. If you can’t confirm the app was patched while it contained funds, create a new wallet and transfer assets to it using a fresh seed phrase.
3. Avoid installing wallet apps via APKs from untrusted sources; prefer official Play Store releases when possible.
Bigger picture
The disclosure comes amid increased scrutiny of mobile crypto security: it followed an Android chip vulnerability flagged the previous month and coincided with a new US Treasury initiative pairing government agencies and crypto firms to share cyber‑threat information. Mobile wallet security is now drawing attention at the highest levels.
Sources: Microsoft Defender Security Research Team, EngageLab SDK release notes, Google/Android Security guidance. (Featured image credit: Bleeping Computer; chart: TradingView.)
Read more AI-generated news on: undefined/news
