Android Flaw Leaves 30 Million Crypto Wallets Open To Attack: Microsoft Analysts

bitcoinistPublicado a 2026-04-11Actualizado a 2026-04-11

Resumen

Microsoft analysts revealed a critical security flaw in the EngageLab SDK (v4.5.4), leaving over 30 million Android crypto wallets vulnerable to attack. The "intent redirection" vulnerability allowed a malicious app to bypass Android's sandbox and gain read/write access to a wallet's private data, including seed phrases and keys, without any user interaction. A patch (SDK 5.2.1) was released in mid-2025. Users who haven't updated their apps since then are advised to not only update but also move their funds to new wallets with fresh seed phrases, as any unpatched wallet is considered compromised. The flaw also affected over 50 million apps in total.

A patch has been available for nearly a year, but millions of Android users may still be running vulnerable crypto wallet apps — leaving their funds and private keys exposed to a known security flaw.

Microsoft’s Defender Security Research Team went public last week with details of a vulnerability it first caught in April 2025. The flaw lived inside a widely used software component called the EngageLab SDK, version 4.5.4.

Because that SDK is baked into thousands of Android apps, a single malicious app could trigger a chain reaction that reached far beyond itself.

How The Attack Works

The method is called “intent redirection.” An attacker’s app sends a specially crafted message to any app running the flawed SDK version. Once that message lands, the targeted app is tricked into handing over read and write access to its own data — including stored seed phrases and wallet addresses.

Source: Microsoft

Android’s built-in sandbox system, which normally keeps apps from seeing each other’s data, was bypassed entirely. According to Microsoft, the attack affected more than 50 million apps across the Android ecosystem, with roughly 30 million of those being crypto wallets.

The vulnerability did not require the user to do anything wrong. No suspicious links. No phishing pages. Just having the wrong apps installed at the same time was enough.

Source: Microsoft

Response From Microsoft And Google

Microsoft moved quickly after its discovery. By May 2025, the company had brought Google and the Android Security Team into the response. EngageLab released a fixed version — SDK 5.2.1 — shortly after.

Reports indicate that both Microsoft and Google have since directed users on how to verify whether their wallet apps have been updated through Google Play Protect.

BTCUSD trading at $72,906 on the 24-hour chart: TradingView

Officials also pointed to a broader concern: apps installed as APK files from outside the Play Store are at higher risk, since they bypass the security checks that Google applies to apps listed in its official marketplace.

What Users Should Do Now

For most users who update their apps regularly, the risk has likely passed. But for anyone who has not updated since mid-2025, the recommended action goes beyond a simple app refresh.

Security teams are advising those users to move their funds into entirely new wallets, generated with fresh seed phrases. Any wallet that was active and unpatched during the exposure window should be treated as potentially compromised.

The disclosure comes alongside a separate Android chip vulnerability flagged the previous month and a new US Treasury initiative that pairs government agencies with crypto firms to share cybersecurity threat information — a sign that mobile security in the crypto space is drawing attention at the highest levels.

Featured image from Bleeping Computer, chart from TradingView

Preguntas relacionadas

QWhat is the name of the vulnerable software component and which version was affected?

AThe vulnerable software component is the EngageLab SDK, specifically version 4.5.4.

QWhat is the attack method called and how does it work?

AThe attack method is called 'intent redirection.' A malicious app sends a specially crafted message to an app running the flawed SDK, tricking it into granting read and write access to its own data, including seed phrases and wallet addresses.

QHow many crypto wallet apps were estimated to be affected by this vulnerability?

ARoughly 30 million crypto wallet apps were estimated to be affected.

QWhat is the primary action recommended for users who had an unpatched wallet app?

AUsers are advised to move their funds into entirely new wallets generated with fresh seed phrases, as the old wallet should be treated as potentially compromised.

QWhich two major companies collaborated on the response to this vulnerability after its discovery?

AMicrosoft and Google (specifically the Android Security Team) collaborated on the response.

Lecturas Relacionadas

U.S. Soldier Arrested After Betting on Maduro's Ouster Nets $400,000; First Insider Trading Case on Polymarket Concluded

A US Army Special Forces sergeant, Gannon Ken Van Dyke, was arrested and charged by the US Department of Justice for insider trading on the prediction market Polymarket. He used classified information related to "Operation Absolute Resolve," a military operation that led to the capture of Venezuelan President Nicolás Maduro in January 2026, to place bets on Maduro's ouster. Between December 27, 2025, and January 2, 2026, Van Dyke invested approximately $33,034 in 13 bets on Polymarket, all predicting Maduro's removal, US military intervention in Venezuela, and related events. He netted a profit of over $409,881. After the operation, he attempted to conceal his actions by withdrawing funds, changing account details, and requesting the deletion of his Polymarket account. This case marks the first time the US Justice Department has prosecuted insider trading on a prediction market. The CFTC also filed a civil suit, invoking the "Eddie Murphy Rule" from the Dodd-Frank Act, which prohibits trading based on misappropriated government information. The incident highlights broader concerns about insider trading on prediction markets, with similar cases recently reported in Israel and France. Polymarket stated it proactively reported the activity and cooperated with the investigation.

marsbitHace 4 min(s)

U.S. Soldier Arrested After Betting on Maduro's Ouster Nets $400,000; First Insider Trading Case on Polymarket Concluded

marsbitHace 4 min(s)

US Military Is Running A Bitcoin Node, Four-Star Admiral Reveals

US military is operating a Bitcoin node for cybersecurity experiments and network monitoring, not for financial purposes, according to Admiral Samuel Paparo, commander of US Indo-Pacific Command. During a House Armed Services Committee hearing, Paparo emphasized Bitcoin's value as a computer science tool for power projection and securing networks. He highlighted the protocol's combination of proof-of-work, blockchain, and cryptography as having direct national security implications. The military's interest lies in Bitcoin's technological applications rather than its economic aspects, viewing it as a strategic protocol for cybersecurity and digital property protection.

bitcoinistHace 1 hora(s)

US Military Is Running A Bitcoin Node, Four-Star Admiral Reveals

bitcoinistHace 1 hora(s)

Silicon Valley Godfather Naval Takes the Helm, AngelList Packs Pre-IPO Growth Companies into USVC Fund

This article discusses the USVC Venture Capital Access Fund (USVC), a new investment vehicle co-founded by prominent Silicon Valley investor Naval Ravikant through AngelList. The fund's core mission is to provide retail investors access to high-growth, pre-IPO companies—a segment of the market traditionally reserved for venture capitalists and accredited investors. USVC invests in a portfolio of late-stage private companies, including notable names like xAI, Anthropic, and OpenAI. Its key selling point is allowing ordinary investors to gain exposure to the significant value creation that occurs before a company goes public, as the average age of companies at IPO has increased from 6 years in 1980 to 13 years today. However, the article highlights several important constraints: investors buy fund shares, not direct stock; the fund carries a net annual fee of 2.5%; it offers limited liquidity through quarterly share repurchases; and investments are long-term with no fixed end date. The fund has also garnered attention in the Web3 community due to Naval’s and AngelList’s history of supporting crypto and blockchain projects, positioning USVC at the intersection of traditional venture capital and emerging digital asset investment trends.

marsbitHace 1 hora(s)

Silicon Valley Godfather Naval Takes the Helm, AngelList Packs Pre-IPO Growth Companies into USVC Fund

marsbitHace 1 hora(s)

Aave Is Surrendering the Throne of DeFi Lending Due to Its Own Stupidity

An article titled "Aave Is Giving Up Its Throne in DeFi Lending Due to Its Own Foolishness" discusses how Aave mishandled a crisis following a $292 million hack of rsETH from Kelp DAO, leading to significant outflows and reputational damage. After the hack, Aave failed to promptly reassure users or commit to covering potential bad debt—estimated between $123.7 million and $230.1 million—despite having sufficient reserves. This hesitation triggered panic, resulting in $17.2 billion in outflows and liquidity crises across multiple pools. The author argues that Aave’s poor crisis management and reluctance to act quickly exacerbated the situation, damaging its reputation as the "safest DeFi" platform. Meanwhile, competitor Spark, a fork of Aave V3, capitalized on the situation by attracting fleeing funds, growing its TVL by nearly $2 billion. Spark had previously delisted rsETH, avoiding any exposure to the hack. Its proactive communication and strategic positioning contrast sharply with Aave’s delayed response. Although Aave’s founder later announced a relief plan (DeFi United) with multiple partners and a personal donation, the damage to user trust and liquidity may be lasting. The article concludes that Aave’s missteps have allowed competitors like Spark, Morpho, and Jupiter Lend to challenge its dominant position in DeFi lending.

marsbitHace 1 hora(s)

Aave Is Surrendering the Throne of DeFi Lending Due to Its Own Stupidity

Aave, a leading DeFi lending protocol, is facing a severe crisis and losing its dominant market position due to its poor handling of a recent security incident. The crisis began when Kelp DAO suffered a hack resulting in a loss of $292 million in rsETH. In the aftermath, approximately $17.2 billion in funds flowed out of Aave as user panic escalated. The article criticizes Aave's crisis management as "extremely foolish." Instead of promptly offering reassurance or committing to cover the potential bad debt—estimated between $123.7 million and $230.1 million, which Aave could have afforded—the protocol initially deflected blame, emphasizing that its code was not at fault. This delay and lack of a clear guarantee led to widespread user anxiety, triggering a bank run-like scenario where users withdrew funds or borrowed aggressively from other pools, causing liquidity shortages. Meanwhile, Aave’s competitor Spark—a fork of Aave’s own code—has benefited significantly. Having removed support for rsETH months earlier, Spark avoided any losses from the incident and has since seen its TVL grow by nearly $2 billion, attracting major deposits such as over $1.24 billion from Justin Sun. Spark has actively capitalized on the situation, publicly criticizing Aave’s security reputation. Although Aave’s founder Stani eventually announced a relief plan named "DeFi United" with several partners and a personal donation, the damage to user trust and capital outflows may be irreversible. The article concludes that Aave is losing its throne in DeFi lending to aggressive competitors like Spark, Morpho, and Jupiter Lend.

Odaily星球日报Hace 1 hora(s)

Trading

Spot

Futuros