A Third-Party SDK at the Center of the Threat
Security researchers at Microsoft have uncovered a serious vulnerability lurking inside a widely adopted third-party Android SDK, one that places the sensitive financial and personal data of millions of cryptocurrency wallet users at risk. The affected component is EngageSDK, developed by EngageLab and designed to handle messaging and push notification management in mobile applications.
Because the SDK is integrated directly into Android apps as a dependency — rather than distributed as a standalone product — its vulnerabilities propagate silently into every application that bundles it. According to Microsoft, crypto wallet apps incorporating vulnerable versions of EngageSDK collectively account for more than 30 million installations.
How the Intent-Redirection Flaw Works
The vulnerability centers on Android intents, which are the messaging objects that facilitate interaction between different applications and between components within the same app. Microsoft researchers identified an intent redirection flaw in EngageSDK that allows an attacker to manipulate the contents of an intent transmitted by a vulnerable application.
In a practical attack scenario, a threat actor installs a malicious application on the target's device. That rogue app then sends specially crafted intents that exploit the vulnerable app as a conduit — effectively using it as a proxy to bypass Android's security sandbox. Once the sandbox is circumvented, the attacker can gain unauthorized access to:
- Personal identifying information
- User credentials
- Financial data stored within the wallet application
The attack does not require any system-level privileges on the part of the malicious app itself, making it particularly concerning for everyday users who might unknowingly install a seemingly benign application alongside a legitimate crypto wallet.
Disclosure Timeline and Coordinated Response
Microsoft notified EngageLab's developers of the vulnerability in April 2025. Because affected apps were distributed through Google Play, the Android Security Team was also informed the following month, in May 2025. This coordinated disclosure approach ensured that both the SDK developer and the platform operator could take action.
EngageLab subsequently released a patch with the launch of version 5.2.1 in early November 2025. Microsoft publicly disclosed the full technical details following that fix, urging all developers who integrate EngageSDK into their applications to upgrade to the latest version without delay.
Google Play Removals and Android's Layered Defenses
Microsoft confirmed that all detected crypto wallet applications using vulnerable versions of EngageSDK have been removed from Google Play. The company also noted that Android's built-in layered security model offers additional mitigations that should protect users who had previously downloaded an affected app before the removals took place.
"While this is a vulnerability introduced by a third-party SDK, Android's existing layered security model is capable of providing additional mitigations against exploitation of vulnerabilities through intents," Microsoft explained.
This statement underscores an important nuance: the flaw originated in a third-party component, not in the Android operating system itself. Nonetheless, platform-level protections can still blunt the practical impact of such supply-chain vulnerabilities.
No Evidence of Active Exploitation
Despite the severity of the flaw and the large number of potentially affected installations, Microsoft stated that it found no evidence of exploitation in the wild. This suggests the vulnerability was caught and remediated before malicious actors could weaponize it at scale — though the window between discovery in April 2025 and the patch in November 2025 was a considerable span of time.
What Developers Need to Do
With the public disclosure now live, the risk of exploitation increases as technical details become available to the broader security community and, inevitably, to threat actors. Developers who have integrated EngageSDK into any Android application should take the following steps immediately:
- Audit current project dependencies to identify whether EngageSDK is in use and, if so, which version.
- Upgrade to EngageSDK version 5.2.1 or later, which contains the official patch from EngageLab.
- Resubmit updated application builds to Google Play to ensure end users receive the patched version through normal update channels.
- Review any custom intent-handling logic within the application for additional intent-redirection exposure points.
Broader Implications for Mobile Supply-Chain Security
This incident is a textbook example of the risks inherent in third-party SDK adoption. When developers integrate external libraries to accelerate feature development — such as push notification management — they also inherit any security flaws those libraries carry. A single vulnerable SDK can silently affect dozens or hundreds of apps, collectively reaching tens of millions of users.
Cryptocurrency wallet applications are especially high-value targets, given that a successful exploit can translate directly into financial theft. The combination of sensitive data, large install bases, and frequent reliance on third-party SDKs makes this category of application a persistent focal point for security research and adversarial interest alike.
Microsoft's discovery and responsible disclosure of the EngageSDK vulnerability serves as a reminder that robust supply-chain vetting — including regular audits of third-party dependencies — is an essential component of mobile application security practice.
Source: SecurityWeek