GoPlus, a blockchain security platform, issued an emergency alert on April 10, stating that the EngageLab SDK—used broadly for Android push notifications—has a serious security vulnerability. The issue affects more than 50 million Android users, including about 30 million cryptocurrency wallet users. Attackers can deploy malicious code disguised as legitimate applications on the victim devices to steal cryptocurrency wallet private keys and login credentials.
Vulnerability technical principle: a cross-application attack chain executed silently
(Source: GoPlus)
The core flaw in this vulnerability is that the EngageLab SDK does not perform sufficient source validation when handling Android’s Intent communication mechanism. Intent is a legitimate mechanism for passing commands between Android applications, but the EngageLab SDK’s implementation allows commands from unauthorized sources to bypass the normal validation process, triggering the target application to perform sensitive operations.
Full attack chain in three steps
Malicious app implantation: The attacker disguises malicious code as a legitimate App, tricking victims into installing it on the same Android device.
Malicious Intent injection: The malicious app sends a carefully crafted malicious Intent to a cryptocurrency wallet or financial application on the same device that has already integrated the EngageLab SDK.
Privilege-escalation operation execution: After the target app receives the Intent, it executes unauthorized actions without the user’s knowledge, including stealing wallet private keys, login credentials, and other sensitive data.
The greatest danger of this attack chain lies in its stealthiness: victims do not need to take any active action. As long as the device contains both a malicious application and an EngageLab SDK application with the vulnerable version, the attack can be completed in the background.
Scale of impact: irreversible asset-loss risk for crypto users
As a widely deployed building block for push notifications, the EngageLab SDK has been integrated into thousands of Android applications, bringing the scope of this vulnerability to a scale of 50 million devices. Among them, approximately 30 million are cryptocurrency wallet users.
Once a cryptocurrency wallet private key is exposed, attackers can fully take control of the victim’s on-chain assets. Additionally, the irreversible nature of blockchain transactions means losses of this type are nearly impossible to recover, making the risk far greater than ordinary application data breach incidents.
Emergency response measures: an immediate action checklist for developers and users
Segmented security recommendations
- Application developers and vendors
· Immediately check whether your product integrates the EngageLab SDK, and confirm whether the current version is below 4.5.5
· Upgrade to the EngageLab SDK 4.5.5 or later official patched version (please refer to EngageLab’s official documentation)
· Re-release the updated version, and notify users to complete the update as soon as possible
- General Android users
· Immediately go to Google Play to update all apps, prioritizing cryptocurrency wallet and financial apps
· Stay alert to apps downloaded from unknown sources or non-official channels; delete them immediately if necessary
· If you suspect the private key has been leaked, you should immediately create a new wallet on a secure device, transfer assets, and permanently disable the old address
Frequently asked questions
What is the EngageLab SDK, and why is it widely integrated into cryptocurrency wallets?
The EngageLab SDK is a third-party software package that provides Android push notification functionality. Because it is convenient to deploy, it is adopted by many applications. Push notifications are a standard feature in nearly all mobile applications, which is why the EngageLab SDK is also widely present in cryptocurrency wallets and financial applications—leading to this vulnerability affecting 50 million users.
How can I confirm whether my device is affected by this vulnerability?
If your Android device has a cryptocurrency wallet or financial app installed, and it has not yet been updated to the latest version, there is a risk of being affected. It is recommended to update all apps immediately in the Google Play store. Developers can verify whether they use an EngageLab SDK version lower than 4.5.5 by checking the SDK version number within the app.
If a private key has already been leaked, what should be done urgently?
Immediately create a brand-new wallet address on an uncompromised secure device, transfer all assets from the original wallet to the new address, and permanently disable the old address. At the same time, change login passwords for all relevant platforms and enable two-factor authentication for the account to reduce the risk of further compromise.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
When DeFi is too slow for young people and too risky for old money: are we all using Treasury bond interest to shoulder junk bond risk?
DeFi once attracted young people with five-figure APY rates, but it is now seen as overpriced and carrying too much risk. Over the past year, more than $1.62 billion has been stolen, and at one point Aave’s interest rate spiked to 12.4%. The fair yield is about 12.55%, with a retail entry threshold of 18%. Institutional players prefer “strategy-isolated vaults” to reduce tail risk. Conclusion: high leverage is no longer in; in the future, we’ll need higher-risk pricing and insurance tools to accommodate both young people and old money.
ChainNewsAbmedia32m ago
Robinhood Warns of Phishing Emails Sent to Some Customers
Gate News message, April 27 — Robinhood alerted users on social media that some customers received fraudulent emails last Sunday evening claiming to be from noreply@robinhood.com with the subject line "Your recent login to Robinhood."
The phishing attempt stemmed from misuse of the account
GateNews34m ago
Websea Crypto Exchange Faces Suspected Exit Scam, Withdrawal Channels Closed
Gate News message, April 27 — Crypto trading platform Websea has suspended withdrawals and closed its C2C (peer-to-peer) channels, with multiple users reporting the exchange appears to have conducted an exit scam. The platform initially restricted withdrawals before completely shutting down the C2C
GateNews1h ago
RAVE Token Surges 110x in Two Weeks, Then Crashes 98% Amid Market Manipulation Allegations
Gate News message, April 27 — RAVE, the native token of RaveDAO (a Web3-based cultural community project), skyrocketed 110x in two weeks before plummeting 98% over two days on April 19-20, prompting comparisons to the infamous 2007 Lubo stock manipulation scandal in South Korea.
On April 18, RAVE r
GateNews4h ago
Research reveals: Polymarket players take home 30% of profits by winning 3% of the positions—more than 70% of players absorb all losses
A new study analyzes Polymarket’s trading records from 2023–2025 and shows that only 3.14% of experienced winners control more than 30% of the profits. Crowd participation alone is not enough to explain overall accuracy; at the same time, it tracks 1,950 highly suspicious insider trading accounts that, while not driving predictions, amplified price volatility. The case shows that large bets were placed and profits were made before the U.S. announced developments regarding Venezuela. The research questions “wisdom of crowds” and emphasizes the need for increasingly strict regulation.
ChainNewsAbmedia5h ago
France: More than 40 crypto investor kidnappings in 2026, involving leaked tax data
According to Market Forces Africa, reported on April 27, incidents of kidnapping and violent attacks targeting cryptocurrency investors in France have increased sharply. On the X platform, Telegram founder Pavel Durov said that since the beginning of 2026, he has recorded 41 cases of cryptocurrency investor kidnappings, averaging one incident every 2.5 days, and that they are linked to a leak of French tax records.
MarketWhisper5h ago
