News and Analysis

A serious security flaw found inside a widely used Android library called EngageSDK has put over 30 million cryptocurrency wallet users at risk of financial theft and personal data exposure.

The vulnerability, described as an intent redirection flaw, allowed malicious apps on the same device to break through Android’s built-in security sandbox and gain unauthorized access to private user data.

With crypto wallets holding real financial assets, a flaw of this nature carries consequences far beyond a standard privacy concern.​

EngageSDK is a third-party software development kit built by a company called EngageLab. It is designed to help developers add push notifications and real-time messaging features to their Android applications.

Developers include it as a code dependency, after which it becomes part of how the app runs. Since so many apps rely on the same SDK, a single flaw inside it does not stay confined to one application — it puts every app built on it at risk at the same time.​

During routine security research, the Microsoft Defender Security Research Team identified the vulnerability and noted that it resided inside an exported activity called MTCommonActivity.

This activity is silently added to an app’s merged Android manifest during the build process, meaning it does not appear in the original source code — only in the final compiled output. Because developers often overlook this, the activity goes unreviewed and unprotected. Once the app is installed on a device, that activity becomes reachable by any other app running on the same phone.

The vulnerable MTCommonActivity activity is added to the merged manifest (Source – Microsoft)

The extent of this exposure is what makes the vulnerability especially concerning. Crypto wallet apps alone represented over 30 million installations, and when other apps built on the same SDK were counted, total exposure climbed past 50 million installations.

All apps confirmed to be running vulnerable versions were removed from Google Play. At the time of this report, there is no confirmed evidence that the vulnerability was exploited in attacks.​

The flaw was first found in version 4.5.4 of the EngageLab SDK in April 2025. Microsoft reported it to EngageLab through Coordinated Vulnerability Disclosure (CVD) practices under Microsoft Security Vulnerability Research (MSVR).

The issue was then escalated to the Android Security Team in May 2025. EngageLab released a fix in version 5.2.1 on November 3, 2025, which resolved the exposure by setting the vulnerable activity to non-exported.​

How the Intent Redirection Attack Works

Intent redirection is a technique where an attacker manipulates the contents of a message — called an intent — that a trusted app sends, so it ends up doing something harmful instead.

On Android, intents are the primary way apps communicate with each other and with their own internal components. When a trusted app sends an intent, the Android system honors its permissions.

Attackers exploit this trust to run harmful operations while hiding behind a legitimate application’s identity.​

A malicious app begins the attack by sending a specially crafted URI to the exposed MTCommonActivity activity.

Visual representation of an intent redirection (Source – Microsoft)

That activity passes the URI through a method called processIntent(), which forwards it to processPlatformMessage().

The processPlatformMessage() method (Source – Microsoft)

This method pulls out a field named n_intent_uri, constructs a new intent from it, and launches that intent using the trusted app’s own permissions.

Since the SDK applies the URI_ALLOW_UNSAFE flag, the malicious input can carry read and write permission flags that grant persistent access to the target app’s private storage.

Getting READ – WRITE access to non-exported content providers (Source – Microsoft)

As a result, wallet credentials, private keys, and sensitive financial data inside the app become silently exposed to the attacker.​

Developers using the EngageLab SDK should upgrade to version 5.2.1 or later without delay. After every project build, developers should carefully inspect the merged Android manifest for any exported activities or unexpected permissions introduced by third-party libraries.

Intent data arriving from outside the app should always be validated before it is used. Users who previously installed a vulnerable app are now protected, as Android has deployed automatic mitigations targeting this specific flaw while developers complete their updates.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post EngageSDK Vulnerability Exposes Millions of Crypto Wallet Users to Cyberattacks appeared first on Cyber Security News.