CVE-2024-21390: EngageLab SDK Vulnerability Risks Android Crypto Wallets

Microsoft researchers have identified a significant security flaw in a widely used third-party mobile software development kit (SDK) that left millions of Android users—specifically those using cryptocurrency wallets—vulnerable to asset theft. The vulnerability was found within the EngageLab SDK, a platform frequently utilized by mobile developers for push notifications and analytics. This discovery highlights the persistent risks associated with the Supply Chain Attack vector, where vulnerabilities in common libraries propagate through hundreds of downstream applications.

According to SecurityWeek, Microsoft reported the issue to EngageLab approximately one year ago. The vulnerability, tracked as CVE-2024-21390, stemmed from an insecure implementation of the SDK’s messaging system, which allowed for unauthorized access to sensitive application data. The SDK in question was formerly known as Jiguang JPush, a popular component in several high-profile financial applications.

EngageLab SDK Vulnerability Analysis

The technical root of the issue lies in the SDK’s handling of cross-app communication. In the Android environment, applications often communicate using intents. If these intents are not properly secured using signature-level permissions, other applications on the same device can intercept them. The EngageLab SDK failed to adequately protect these communication channels, allowing a malicious application—potentially delivered via Phishing—to listen for broadcasts containing sensitive information.

Furthermore, the researchers found that the SDK stored sensitive data in world-readable files or utilized predictable identifiers that could be accessed by other processes. For a cryptocurrency wallet, this data often includes session tokens, API keys, or even recovery seed phrases if the application logic incorrectly passes this information through the SDK’s logging or notification handlers. This CVE demonstrates that even if a wallet developer follows best practices for their own code, a single insecure third-party library can bypass sandbox protections.

Impact on the Android Crypto Ecosystem

The scale of this vulnerability is significant due to the popularity of the EngageLab components in the Asia-Pacific region and among international fintech developers. Because cryptocurrency transactions are irreversible, the compromise of a seed phrase or private key represents a total loss of assets for the victim. Threat actors often refine their TTP to target such high-value local vulnerabilities, as they bypass traditional network-layer security controls.

Security teams and a SOC monitoring mobile environments should look for any IoC related to unauthorized apps requesting broad permission sets or attempting to interact with the JPush service components. While the attack requires local presence on the device, the proliferation of ‘dropper’ malware makes this a realistic scenario for targeted theft.

How to Secure Android Crypto Wallets

To mitigate this threat, developers must immediately update the EngageLab SDK to the latest patched version. Beyond simple patching, security professionals should adopt a Zero Trust approach to third-party integrations. This includes:

• Data Minimization: Ensure that no sensitive cryptographic material or PII is ever passed to third-party SDKs for analytics or notification purposes.
• Hardware Security: Utilize the Android Keystore system and Hardware Security Modules (HSM) to ensure private keys never leave a secure execution environment, making them inaccessible even if the application’s data folders are compromised.
• Permission Auditing: Use the MITRE ATT&CK framework to map out potential lateral movement paths on mobile devices, specifically focusing on how malicious apps might exploit inter-process communication (IPC).

For end-users, the recommendation is to ensure all financial and cryptocurrency applications are updated to their latest versions via the Google Play Store and to avoid installing applications from unverified third-party sources.