EngageLab Flaw Opened 30M Wallet Apps to Android Data Theft: Microsoft

TLDR:

• Microsoft found the EngageLab SDK bug could expose private wallet data across 30M Android installs globally.
• The flaw abused Android intents to grant hostile apps persistent read and write provider permissions.
• EngageLab fixed the issue in v5.2.1 by changing MTCommonActivity to non-exported status.
• Google Play removed affected wallet apps, while Android added safeguards for already installed versions.

Microsoft has disclosed a severe Android SDK vulnerability that placed more than 30 million crypto wallet installs at risk. The flaw affected EngageLab’s widely used EngageSDK, which many wallet apps used for push messaging features. 

According to Microsoft’s security research, the issue enabled malicious apps on the same device to bypass sandbox protections. Google Play has since removed all identified apps using the vulnerable SDK versions.

EngageLab Android SDK Flaw Exposed Crypto Wallet Attack Surface

Microsoft said the issue centered on an exported Android activity called MTCommonActivity. 

The component was automatically added during manifest merging after developers imported the SDK. Because it appeared post-build, many teams likely missed it during review. That left production APKs open to hidden risk.

The vulnerable flow began when the activity received an external intent. Its onCreate() and onNewIntent() callbacks both routed data into processIntent(). 

That method extracted a URI string and forwarded it deeper into the SDK logic. The chain eventually rebuilt and launched a new intent.

Microsoft’s write-up noted the critical failure happened in a helper method. Instead of returning a safe implicit intent, it returned an explicitly targeted one. That changed Android’s normal resolution path and let hostile apps redirect execution. 

In practice, the vulnerable wallet app launched the malicious payload with its own privileges.

The risk worsened because the SDK used Android’s URI_ALLOW_UNSAFE flag. That allowed persistent read and write URI permissions inside the redirected intent. 

A malicious app could then gain access to non-exported content providers. From there, sensitive wallet files, credentials, and user data became reachable.

Microsoft Patch Timeline and Android Wallet Mitigation Guidance

Microsoft Security Vulnerability Research first identified the flaw in EngageSDK version 4.5.4 in April 2025. It then notified EngageLab under coordinated disclosure rules. 

The Android Security Team also received the report because affected apps were live on Google Play. The fix arrived months later in version 5.2.1 on November 3, 2025.

In the patched release, EngageLab changed the vulnerable activity to non-exported. That single change blocks outside apps from invoking the component directly. Microsoft said it currently has no evidence of in-the-wild exploitation. Still, it urged developers to update immediately.

The report stressed that third-party SDKs can silently expand wallet attack surfaces. 

Crypto apps face elevated stakes because they often store keys, credentials, and financial identifiers. Even minor upstream library flaws can ripple across millions of devices. This case pushed total exposure above 50 million installs when non-wallet apps were included.

Microsoft also said Android added automatic protections for previously installed vulnerable apps. Those mitigations reduce risk while developers migrate to the fixed SDK. 

The company urged teams to inspect merged manifests after every dependency update. That review can catch exported components before release.