Android Flaw Leaves 30 Million Crypto Wallets Open To Attack: Microsoft Analysts

bitcoinistPublished on 2026-04-11Last updated on 2026-04-11

Abstract

Microsoft analysts revealed a critical security flaw in the EngageLab SDK (v4.5.4), leaving over 30 million Android crypto wallets vulnerable to attack. The "intent redirection" vulnerability allowed a malicious app to bypass Android's sandbox and gain read/write access to a wallet's private data, including seed phrases and keys, without any user interaction. A patch (SDK 5.2.1) was released in mid-2025. Users who haven't updated their apps since then are advised to not only update but also move their funds to new wallets with fresh seed phrases, as any unpatched wallet is considered compromised. The flaw also affected over 50 million apps in total.

A patch has been available for nearly a year, but millions of Android users may still be running vulnerable crypto wallet apps — leaving their funds and private keys exposed to a known security flaw.

Microsoft’s Defender Security Research Team went public last week with details of a vulnerability it first caught in April 2025. The flaw lived inside a widely used software component called the EngageLab SDK, version 4.5.4.

Because that SDK is baked into thousands of Android apps, a single malicious app could trigger a chain reaction that reached far beyond itself.

How The Attack Works

The method is called “intent redirection.” An attacker’s app sends a specially crafted message to any app running the flawed SDK version. Once that message lands, the targeted app is tricked into handing over read and write access to its own data — including stored seed phrases and wallet addresses.

Source: Microsoft

Android’s built-in sandbox system, which normally keeps apps from seeing each other’s data, was bypassed entirely. According to Microsoft, the attack affected more than 50 million apps across the Android ecosystem, with roughly 30 million of those being crypto wallets.

The vulnerability did not require the user to do anything wrong. No suspicious links. No phishing pages. Just having the wrong apps installed at the same time was enough.

Source: Microsoft

Response From Microsoft And Google

Microsoft moved quickly after its discovery. By May 2025, the company had brought Google and the Android Security Team into the response. EngageLab released a fixed version — SDK 5.2.1 — shortly after.

Reports indicate that both Microsoft and Google have since directed users on how to verify whether their wallet apps have been updated through Google Play Protect.

BTCUSD trading at $72,906 on the 24-hour chart: TradingView

Officials also pointed to a broader concern: apps installed as APK files from outside the Play Store are at higher risk, since they bypass the security checks that Google applies to apps listed in its official marketplace.

What Users Should Do Now

For most users who update their apps regularly, the risk has likely passed. But for anyone who has not updated since mid-2025, the recommended action goes beyond a simple app refresh.

Security teams are advising those users to move their funds into entirely new wallets, generated with fresh seed phrases. Any wallet that was active and unpatched during the exposure window should be treated as potentially compromised.

The disclosure comes alongside a separate Android chip vulnerability flagged the previous month and a new US Treasury initiative that pairs government agencies with crypto firms to share cybersecurity threat information — a sign that mobile security in the crypto space is drawing attention at the highest levels.

Featured image from Bleeping Computer, chart from TradingView

Related Questions

QWhat is the name of the vulnerable software component and which version was affected?

AThe vulnerable software component is the EngageLab SDK, specifically version 4.5.4.

QWhat is the attack method called and how does it work?

AThe attack method is called 'intent redirection.' A malicious app sends a specially crafted message to an app running the flawed SDK, tricking it into granting read and write access to its own data, including seed phrases and wallet addresses.

QHow many crypto wallet apps were estimated to be affected by this vulnerability?

ARoughly 30 million crypto wallet apps were estimated to be affected.

QWhat is the primary action recommended for users who had an unpatched wallet app?

AUsers are advised to move their funds into entirely new wallets generated with fresh seed phrases, as the old wallet should be treated as potentially compromised.

QWhich two major companies collaborated on the response to this vulnerability after its discovery?

AMicrosoft and Google (specifically the Android Security Team) collaborated on the response.

Related Reads

Amazon Invests Additional $25 Billion in Anthropic, AI Infrastructure 'Arms Race' Escalates

Amazon announces an additional investment of up to $25 billion in Anthropic, with $5 billion delivered immediately and the remaining contingent on performance milestones. This follows a recent $50 billion investment in OpenAI, highlighting Amazon's strategy of backing leading AI labs. The deal includes a commitment from Anthropic to spend over $100 billion on AWS infrastructure over the next decade, securing up to 5 gigawatts of computing power to address growing demand and capacity constraints. Anthropic’s annualized revenue has surpassed $30 billion, but the company faces infrastructure strain due to rapid user growth. The investment will support scaling Claude’s capabilities using Amazon’s custom Trainium and Graviton chips. The move deepens integration between Anthropic and AWS, allowing Claude to be accessed natively within AWS services. Over 100,000 organizations already use Claude via Amazon Bedrock. This investment is part of a broader AI infrastructure race, with Amazon planning around $200 billion in capital expenditures this year, largely focused on expanding AI compute capacity.

marsbit19m ago

Amazon Invests Additional $25 Billion in Anthropic, AI Infrastructure 'Arms Race' Escalates

marsbit19m ago

A New CEO Who Has Worked Exclusively with Hardware for 25 Years Takes Over Apple, Valued at 4 Trillion

Apple, the world's most valuable tech firm, has appointed John Ternus as its new CEO, effective September 1, replacing Tim Cook who transitions to executive chairman. Ternus, a 51-year-old mechanical engineer with 25-year tenure at Apple, previously served as senior vice president of hardware engineering. Known for his low public profile and lack of social media presence, he played key roles in developing products like the iPad, AirPods, and led Apple’s transition from Intel to in-house silicon chips. Ternus takes over a company valued at $4 trillion, with Cook having multiplied Apple’s revenue and built a $100 billion services business. However, he inherits significant challenges: Apple’s AI efforts, including the delayed Siri revamp powered by Google’s Gemini, remain unproven, and the company is preparing to launch its first foldable iPhone amid supply constraints. While Ternus’s hardware expertise positions him well for product-driven innovation, his lack of software/AI experience raises questions about Apple’s competitiveness in the AI era. The company’s structure has been adjusted to support him, with Cook remaining in an advisory role. Ternus’s engineer-led approach—emphasizing humility and collaboration—may prove vital in navigating Apple’s next chapter.

marsbit19m ago

A New CEO Who Has Worked Exclusively with Hardware for 25 Years Takes Over Apple, Valued at 4 Trillion

marsbit19m ago

Atkins' First Year at the Helm of the SEC: A Comprehensive Shift in Crypto Regulation

Paul Atkins marked his one-year anniversary as Chair of the U.S. Securities and Exchange Commission (SEC) on April 21, 2025, overseeing a significant shift in the agency’s approach to cryptocurrency regulation. Under his leadership, the SEC dropped multiple enforcement actions against crypto firms, approved several crypto-linked ETFs, and issued guidance clarifying that most cryptocurrencies are not considered securities under federal law. The SEC also signed a memorandum with the CFTC to improve regulatory coordination. These actions reversed the aggressive enforcement stance of his predecessor, Gary Gensler, and aligned with Trump administration promises to support the crypto industry. However, Atkins has faced criticism from Democratic lawmakers, including Senator Elizabeth Warren, who raised concerns over potential conflicts of interest, particularly regarding dropped cases linked to Trump-affiliated companies. While regulatory clarity has improved, the SEC still awaits congressional action to formally define its jurisdiction over digital assets.

marsbit29m ago

Atkins' First Year at the Helm of the SEC: A Comprehensive Shift in Crypto Regulation

marsbit29m ago

a16z: 5 Ways Blockchain Can Help AI Agent Infrastructure

Blockchain technology provides critical infrastructure for AI agents by addressing five key challenges: 1) Non-human identity: AI agents lack standardized, portable identity systems. Blockchain enables verifiable, cross-platform agent identities (like "Know Your Agent" frameworks) through cryptographic credentials and on-chain registries. 2) AI governance: When AI systems execute decisions, blockchain ensures transparency and prevents centralized control by recording actions on-chain and enabling auditable execution logs. 3) Payments: Stablecoins and crypto payments (e.g., x402, MPP) serve as default settlement layers for agent-to-agent commerce, enabling frictionless, programmable transactions for "headless" AI-native businesses. 4) Trust and verification: As AI scales, blockchain provides cryptographic proof of origin and auditable histories, making verification—not intelligence—the scarce resource. 5) User control: Crypto-native tools (e.g., delegation toolkits, intent-based architectures) allow users to set boundaries and maintain oversight over autonomous agents, minimizing blind trust. Together, blockchain and AI can create an economic infrastructure built on transparency, accountability, and user sovereignty.

marsbit1h ago

a16z: 5 Ways Blockchain Can Help AI Agent Infrastructure

marsbit1h ago

You Bet on the News, the Pros Read the Rules: The True Cognitive Gap in Losing Money on Polymarket

The article explains that the key to profiting on Polymarket, a prediction market platform, lies not just predicting real-world events correctly, but in meticulously understanding the specific rules that govern how each market will be resolved. It illustrates this with examples, such as a market on Venezuela's 2026 leader, where the official rules defining "officially holds" the office overruled the intuitive answer of who was in practical control. Other examples include debates over the definition of a "token" or what constitutes an "agreement." The core argument is that a "reality vs. rules" gap creates pricing discrepancies that savvy traders ("车头" or "whales") exploit. The platform has a formal dispute resolution process managed by UMA token holders to settle ambiguous outcomes. This process involves proposal submission, a challenge window, a discussion period, and a final vote. However, the article highlights a critical flaw in this system compared to a traditional court: the lack of separation between the arbiters (UMA voters) and the interested parties (traders with financial stakes in the outcome). This conflict of interest undermines the discussion phase, leads to herd mentality, and results in opaque final decisions without explanatory rulings. Consequently, the system lacks a body of precedent, making it difficult for users to learn from past disputes. The ultimate takeaway is that success on Polymarket requires a lawyer-like scrutiny of the rules to identify and capitalize on the cognitive gap between how events appear and how they are contractually defined for settlement.

marsbit1h ago

You Bet on the News, the Pros Read the Rules: The True Cognitive Gap in Losing Money on Polymarket

marsbit1h ago

Trading

Spot
Futures
活动图片