Key Findings

• Critical flaw in EngageLab SDK affected up to 50 million Android devices, including over 30 million crypto wallet installations

• Intent redirection vulnerability allowed malicious apps to bypass Android sandbox protections and access private data

• EngageLab released patch in version 5.2.1 on November 3, 2025, after Microsoft's coordinated disclosure in April 2025

• No active exploitation confirmed in the wild

• Vulnerable apps were removed from Google Play Store following responsible disclosure

Background

EngageLab SDK is a push notification service widely integrated into Android applications to deliver timely, personalized notifications based on user behavior tracking. The SDK gained significant adoption across the cryptocurrency and digital wallet ecosystem, making the security flaw particularly concerning given the sensitive nature of financial applications. Microsoft Defender Security Research Team discovered the vulnerability in version 4.5.4 and reported it through coordinated disclosure channels.

How the Vulnerability Works

The flaw stems from an intent redirection issue embedded in the SDK. Android typically protects apps through sandbox isolation, unique identifiers, and controlled communication via intents. EngageLab's vulnerability breaks this protection by allowing threat actors to manipulate intent contents. A malicious app can send a crafted intent to a vulnerable app, which then processes it using its own elevated permissions and inadvertently sends a new intent on the attacker's behalf. This grants the attacker access to protected components and sensitive data that should have remained isolated.

The Root Cause

The problem originates from an exported component called MTCommonActivity that gets automatically added during the build process. Most developers never notice it because it only appears in the merged app configuration, not in standard project files. Since the component is exported, any app on the device can interact with it. When MTCommonActivity processes attacker-controlled data, it builds a new intent targeting internal components using unsafe flags that grant read and write access. This creates a direct pathway to private files through the app's content providers, bypassing intended access restrictions.

Why Crypto Wallets Were Hit Hardest

Wallet applications represented the largest concentration of affected installations, with over 30 million documented instances. The flaw's ability to access private data made digital asset management apps particularly attractive targets for potential attackers. When combined with non-wallet applications using the same SDK, total exposure exceeded 50 million installations. The high-value nature of cryptocurrency applications made this vulnerability especially critical for the sector.

Timeline and Response

Microsoft first identified the vulnerability in April 2025 and initiated coordinated disclosure with EngageLab. Due to the Play Store impact, the Android Security Team became involved in May 2025. EngageLab developers addressed the issue in version 5.2.1, released November 3, 2025, by removing the export status from the vulnerable component and blocking cross-app access. Google subsequently removed all detected vulnerable apps from the Play Store.

The Broader Third-Party SDK Risk

This incident highlights systemic vulnerabilities inherent to mobile app development's reliance on external libraries. Developers frequently depend on upstream SDKs without fully understanding every component added during integration. Even minor flaws in widely deployed libraries can cascade across millions of devices due to the interconnected nature of the app ecosystem. The case demonstrates how security weaknesses in supply chain dependencies can create unexpected attack surfaces in otherwise secure applications. Developers must now be more vigilant about reviewing merged Android manifests to identify potentially problematic components introduced by third-party integrations.

Sources

• https://securityaffairs.com/190586/hacking/engagelab-sdk-flaw-opens-door-to-private-data-on-50m-android-devices.html

• https://thehackernews.com/2026/04/engagelab-sdk-flaw-exposed-50m-android.html