EngageLab SDK Flaw Exposed 50M Android Users — 30M in Crypto Wallet Apps | Privacy
A critical vulnerability in the EngageLab push notification SDK — embedded silently in hundreds of Android applications — exposed 50 million users to remote co…
Published on MyPrivateClaw
Apr 10, 2026, 5:08 AM UTC
Coverage date
Apr 9, 2026
Last updated
Apr 10, 2026, 5:09 AM UTC
News summary
A critical vulnerability in the EngageLab push notification SDK — embedded silently in hundreds of Android applications — exposed 50 million users to remote code execution and data exfiltration. Researchers found the SDK collected device fingerprints, installed app lists, and precise location data, transmitting them to servers in mainland China without user disclosure or consent. 30 million of the affected users were running cryptocurrency wallet apps, making the exposure particularly severe. The SDK was distributed as a dependency of a dependency, meaning app developers were often unaware it was present. A textbook supply chain risk case study: the attack surface is not the app you install, but the third party SDKs embedded inside it.