A critical vulnerability in a widely used third-party Android SDK has exposed millions of cryptocurrency wallet users to potential data theft and security risks.
Security researchers at Microsoft identified the flaw in EngageSDK, developed by EngageLab. The SDK is commonly integrated into mobile applications for managing messaging and push notifications and is used by crypto wallet apps with over 30 million combined installations.
The vulnerability stems from an intent redirection flaw within Android’s inter-application communication mechanism. Android intents are designed to allow apps and system components to exchange data and trigger actions. However, improper validation in affected versions of the SDK allows attackers to manipulate these intents.
By exploiting this flaw, a malicious application installed on a user’s device could send specially crafted intents to a vulnerable app, bypassing Android’s security sandbox. This could enable unauthorized access to sensitive data, including personal information, login credentials, and financial details.
Microsoft disclosed that the issue affects unpatched versions of the SDK and poses significant risks, particularly for financial and crypto applications where sensitive user data is handled.
The company notified EngageLab in April 2025, followed by coordination with the Android Security Team due to the widespread use of affected apps on Google Play.
In response, apps using vulnerable versions of the SDK were removed from Google Play, and platform-level mitigations were implemented to reduce exploitation risks for users who had already installed affected applications.
A fix was released by EngageLab in November 2025 with version 5.2.1 of the SDK. Developers are strongly advised to update to the latest version to prevent potential exploitation.
The incident highlights the growing security risks associated with third-party dependencies in mobile applications, especially in high-stakes sectors such as cryptocurrency, where vulnerabilities can directly impact user funds and privacy.
