Microsoft exposed a critical intent redirection flaw in EngageLab’s Android SDK, silently threatening over 30 million crypto wallet installs.
A flaw buried deep inside a push notification library just put millions of crypto users at risk. Microsoft’s Defender Security Research Team disclosed a severe intent redirection vulnerability in EngageLab’s Android SDK, known as EngageSDK. The flaw let rogue apps bypass Android’s security sandbox entirely. From there, attackers could reach private wallet data without any user interaction.
The affected SDK is used by developers to handle in-app messaging and push notifications. It gets imported as a dependency, which means developers often never see the full picture of what lands inside their app. Over 30 million installs of crypto wallet apps alone were running the vulnerable code. Total exposure across all app categories reached beyond 50 million installs.
The Hidden Door Nobody Noticed
The problem lived inside an exported activity called MTCommonActivity. It only appears in the merged Android manifest, which gets generated after the build process. That timing matters. Most developers review the pre-build manifest and simply miss it.
Because the activity was exported, any other app on the same device could send an intent directly to it. The vulnerable activity then processed that intent and dispatched a new one using the host app’s own identity and permissions. That second intent is where things go wrong fast.
Microsoft’s research confirmed the method processed incoming URIs and fed them into an intent construction chain. The code invoked parseUri with the URI_ALLOW_UNSAFE flag. That flag can open access to an app’s content providers, including ones that were never meant to be public. Combined with persistent read and write permission flags baked into the exploit intent, an attacker gains lasting access to the app’s private storage. No re-exploitation needed.
30 Million Wallets, One Overlooked Library
Microsoft identified the flaw in version 4.5.4 of the SDK back in April 2025. The team reported it to EngageLab through Coordinated Vulnerability Disclosure via the Microsoft Security Vulnerability Research program. The Android Security Team was also brought in given the affected apps were live on Google Play.
EngageLab patched it in version 5.2.1, released November 3, 2025. The fix was direct: MTCommonActivity was set to non-exported, cutting off outside apps from reaching it. All detected apps still running the vulnerable version have since been removed from Google Play.
As the Microsoft Defender Security Research Team noted in their disclosure, the issue shows how weaknesses in third-party SDKs carry large-scale implications, especially in sectors like digital asset management where 2025 saw repeated security failures. Credential theft, private key exposure, and PII leaks were all within reach for any attacker exploiting the flaw.
No evidence of active exploitation has been found at the time of disclosure. Android also pushed updated user-level protections targeting the specific EngageSDK risk while developers transition to the patched version. Users who had a vulnerable app installed are now covered.
What Developers Must Do Now
Any developer still running EngageSDK below version 5.2.1 needs to update immediately. Microsoft specifically called out the merged manifest review as a step developers often skip. Third-party libraries can inject exported components into apps without developers realizing it. Those components become attack surfaces.
The research also flags a broader supply chain problem. Apps depend on external libraries constantly. Each one is a potential entry point if the integration is not carefully audited. The more an app relies on imported SDKs, the harder it gets to track every component that ends up in the final build.
Microsoft’s guidance ties directly into its Defender XDR tooling and Security Copilot for teams needing to assess exposure at scale.
