GoPlus, a blockchain security platform, issued an emergency alert on April 10, stating that the EngageLab SDK—used broadly for Android push notifications—has a serious security vulnerability. The issue affects more than 50 million Android users, including about 30 million cryptocurrency wallet users. Attackers can deploy malicious code disguised as legitimate applications on the victim devices to steal cryptocurrency wallet private keys and login credentials.
Vulnerability technical principle: a cross-application attack chain executed silently
(Source: GoPlus)
The core flaw in this vulnerability is that the EngageLab SDK does not perform sufficient source validation when handling Android’s Intent communication mechanism. Intent is a legitimate mechanism for passing commands between Android applications, but the EngageLab SDK’s implementation allows commands from unauthorized sources to bypass the normal validation process, triggering the target application to perform sensitive operations.
Full attack chain in three steps
Malicious app implantation: The attacker disguises malicious code as a legitimate App, tricking victims into installing it on the same Android device.
Malicious Intent injection: The malicious app sends a carefully crafted malicious Intent to a cryptocurrency wallet or financial application on the same device that has already integrated the EngageLab SDK.
Privilege-escalation operation execution: After the target app receives the Intent, it executes unauthorized actions without the user’s knowledge, including stealing wallet private keys, login credentials, and other sensitive data.
The greatest danger of this attack chain lies in its stealthiness: victims do not need to take any active action. As long as the device contains both a malicious application and an EngageLab SDK application with the vulnerable version, the attack can be completed in the background.
Scale of impact: irreversible asset-loss risk for crypto users
As a widely deployed building block for push notifications, the EngageLab SDK has been integrated into thousands of Android applications, bringing the scope of this vulnerability to a scale of 50 million devices. Among them, approximately 30 million are cryptocurrency wallet users.
Once a cryptocurrency wallet private key is exposed, attackers can fully take control of the victim’s on-chain assets. Additionally, the irreversible nature of blockchain transactions means losses of this type are nearly impossible to recover, making the risk far greater than ordinary application data breach incidents.
Emergency response measures: an immediate action checklist for developers and users
Segmented security recommendations
- Application developers and vendors
· Immediately check whether your product integrates the EngageLab SDK, and confirm whether the current version is below 4.5.5
· Upgrade to the EngageLab SDK 4.5.5 or later official patched version (please refer to EngageLab’s official documentation)
· Re-release the updated version, and notify users to complete the update as soon as possible
- General Android users
· Immediately go to Google Play to update all apps, prioritizing cryptocurrency wallet and financial apps
· Stay alert to apps downloaded from unknown sources or non-official channels; delete them immediately if necessary
· If you suspect the private key has been leaked, you should immediately create a new wallet on a secure device, transfer assets, and permanently disable the old address
Frequently asked questions
What is the EngageLab SDK, and why is it widely integrated into cryptocurrency wallets?
The EngageLab SDK is a third-party software package that provides Android push notification functionality. Because it is convenient to deploy, it is adopted by many applications. Push notifications are a standard feature in nearly all mobile applications, which is why the EngageLab SDK is also widely present in cryptocurrency wallets and financial applications—leading to this vulnerability affecting 50 million users.
How can I confirm whether my device is affected by this vulnerability?
If your Android device has a cryptocurrency wallet or financial app installed, and it has not yet been updated to the latest version, there is a risk of being affected. It is recommended to update all apps immediately in the Google Play store. Developers can verify whether they use an EngageLab SDK version lower than 4.5.5 by checking the SDK version number within the app.
If a private key has already been leaked, what should be done urgently?
Immediately create a brand-new wallet address on an uncompromised secure device, transfer all assets from the original wallet to the new address, and permanently disable the old address. At the same time, change login passwords for all relevant platforms and enable two-factor authentication for the account to reduce the risk of further compromise.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Kamino Pauses LayerZero-Related Asset Interactions, Closes Deposit and Lending Functions
Kamino has temporarily suspended interactions with LayerZero-related tokens as a precaution, while allowing withdrawals and debt repayments. They emphasize that this measure is for risk management and that user funds are safe.
GateNews1h ago
Kelp DAO Hacked for $292 Million: LayerZero Cross-Chain Bridge Attacked with Forged Messages, Biggest DeFi Event of 2026
Kelp DAO was hacked on April 19. The attacker used LayerZero’s cross-chain bridge to forge messages, releasing 116,500 rsETH, for losses of about $292 million, making it the largest DeFi event of 2026. This incident highlights security vulnerabilities in cross-chain bridges, triggering a sharp market reaction; related protocols also urgently froze assets, facing further liquidation risk.
ChainNewsAbmedia2h ago
Kelp DAO Cross-Chain Bridge Exploited, 116,500 rsETH Worth $292M Stolen
Kelp DAO's cross-chain bridge was exploited, resulting in the theft of 116,500 rsETH worth about $292 million, the largest DeFi attack of 2026. Multiple protocols have taken protective measures, and Kelp DAO is investigating the incident with experts.
GateNews3h ago
KelpDAO's Liquid Staking Token Faces Over $100M Exploitation
Gate News message, according to onchain data, KelpDAO's liquid staking token has been exploited for over $100 million. The incident involves KelpDAO's liquid staking token infrastructure.
GateNews9h ago
Chainalysis Details 'Shadow Crypto Economy' Exposure as Grinex Suspends Operations
Grinex’s shutdown is intensifying scrutiny of crypto laundering tactics, as fund movements suggest behavior inconsistent with typical enforcement actions. Chainalysis analysis highlights patterns that raise questions about whether the activity aligns with a conventional external hack or
Coinpedia10h ago
Rhea Finance Suffers a $18.4 Million Loss After an Oracle Attack: ZachXBT Warns, Tether Freezes 4.34 Million USDT, and the Attacker Returns Some Funds
Rhea Finance suffered an oracle manipulation attack on the NEAR Protocol, with losses reaching $18.4 million—double the initial estimate. The attacker manipulated the pricing of a fake token, causing collateral valuations to be incorrect. Tether froze about $4.34 million in USDT; the attacker returned roughly $3.5 million. To date, more than $7.8 million has been recovered, highlighting the importance of oracle security.
ChainNewsAbmedia19h ago
