CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Intent redirection in EngageLab SDK versions 4.5.4 and earlier enabled sandbox escape on 50M Android devices

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A now-patched intent redirection vulnerability in EngageLab SDK versions 4.5.4 and earlier allowed malicious apps on affected Android devices to bypass application sandboxing and gain unauthorized access to private data. At least 50 million installations across multiple apps—including more than 30 million cryptocurrency wallets—were potentially exposed. An attacker would need a malicious app installed on the same device to exploit the flaw by manipulating intent contents leveraging the SDK’s trusted context.

Timeline

  1. 09.04.2026 20:26 1 articles · 23h ago

    EngageLab SDK intent redirection vulnerability patched after responsible disclosure

    Responsible disclosure initiated in April 2025 led to the release of EngageLab SDK version 5.2.1 in November 2025, addressing an intent redirection flaw in version 4.5.4 that allowed sandbox escape and unauthorized data access on Android devices. Affected apps, including over 30 million cryptocurrency wallets, were removed from Google Play Store following remediation.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Android Malware Campaign Abuses Hugging Face Platform

A new Android malware campaign leverages the Hugging Face platform to distribute thousands of variants of an APK payload designed to steal credentials from popular financial and payment services. The attack begins with a dropper app called TrustBastion, which uses scareware-style ads to lure victims into installing it. The malware then redirects to a Hugging Face repository to download the final payload, using server-side polymorphism to evade detection. The malware exploits Android’s Accessibility Services to capture screenshots, monitor user activity, and steal credentials. The campaign was discovered by Bitdefender researchers, who found over 6,000 commits in the repository. The repository was taken down but resurfaced under a new name, 'Premium Club,' with the same malicious code. Bitdefender has published indicators of compromise and informed Hugging Face, which removed the malicious datasets. The infection chain begins when users download the malicious Android app TrustBastion, which appears as scareware via popups claiming the device is infected with malware. The dropper app prompts users to run an update that mimics legitimate Google Play and Android system update dialog boxes. The dropper contacts an encrypted endpoint hosted at trustbastion[.]com, which returns an HTML file containing a redirect link to the Hugging Face repository hosting the malware. The malware masquerades as a 'Phone Security' feature to guide users through enabling Accessibility Services. The malware requests permissions for screen recording, screen casting, and overlay display to monitor all user activity and capture screen content. The malware captures lockscreen information for security verification of financial and payment services.

Open in new tab