Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AI Used in Ticketmaster Attack to Score Free Tickets
July 3, 2026
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
Home/Threats/Critical EngageSDK Flaw Exposes Millions of Crypto Wallet Users
Threats

Critical EngageSDK Flaw Exposes Millions of Crypto Wallet Users

Key Takeaways A critical intent redirection vulnerability (CVE-202X-XXXX) was discovered in EngageSDK, an Android library used for push notifications and messaging. The flaw exposed over 30 million...

Sarah simpson
Sarah simpson
April 10, 2026 4 Min Read
29 0

Key Takeaways

  • A critical intent redirection vulnerability (CVE-202X-XXXX) was discovered in EngageSDK, an Android library used for push notifications and messaging.
  • The flaw exposed over 30 million cryptocurrency wallet users and more than 50 million total app installations to potential data theft.
  • Malicious applications could exploit the vulnerability to bypass Android’s sandbox, gaining unauthorized read/write access to sensitive data within affected apps.
  • EngageLab released a fix in version 5.2.1 of the SDK, and Google has removed all confirmed vulnerable apps from Google Play while also deploying automatic mitigations.

EngageSDK Flaw Jeopardizes Millions of Crypto Wallet Users

A significant security vulnerability within EngageSDK, a widely adopted Android library, has put more than 30 million cryptocurrency wallet users at risk of financial asset theft and personal data compromise. The flaw, identified as an intent redirection vulnerability, could allow malicious applications on the same device to circumvent Android’s security mechanisms and access private user information without authorization.

Table Of Content

  • Key Takeaways
  • EngageSDK Flaw Jeopardizes Millions of Crypto Wallet Users
  • Understanding EngageSDK and the Vulnerability
  • How the Intent Redirection Attack Works
  • What You Should Do

Given that crypto wallets manage real financial assets, the implications of such a vulnerability extend far beyond typical privacy concerns, posing a direct threat to users’ digital wealth.

Understanding EngageSDK and the Vulnerability

EngageSDK is a third-party software development kit developed by EngageLab. Its primary function is to enable Android developers to integrate push notifications and real-time messaging capabilities into their applications. Developers incorporate this SDK as a dependency, making it an integral part of the application’s runtime environment. Consequently, a single vulnerability within the SDK can simultaneously endanger every application built upon it, rather than being confined to one.

During a routine security audit, the Microsoft Defender Security Research Team identified the vulnerability. They pinpointed the flaw within an exported activity named MTCommonActivity. This activity is silently added to an application’s merged Android manifest during the build process, meaning it does not appear in the original source code but is present in the final compiled output. This often leads to developers overlooking and failing to protect the activity. Once an app is installed, this activity becomes accessible to any other application running on the device.

The scale of exposure is particularly alarming. Crypto wallet applications alone accounted for over 30 million installations, and when other applications leveraging the same SDK were included, the total number of affected installations surpassed 50 million. All applications confirmed to be running vulnerable versions have since been removed from Google Play. As of this report, there is no confirmed evidence that this vulnerability has been actively exploited in attacks.

The flaw was initially discovered in version 4.5.4 of the EngageLab SDK in April 2025. Microsoft reported it to EngageLab following Coordinated Vulnerability Disclosure (CVD) protocols under Microsoft Security Vulnerability Research (MSVR). The issue was subsequently escalated to the Android Security Team in May 2025. EngageLab issued a patch in version 5.2.1 on November 3, 2025, which mitigated the exposure by configuring the vulnerable activity as non-exported.

How the Intent Redirection Attack Works

Intent redirection is an attack technique where an attacker manipulates the content of a message, known as an “intent,” sent by a trusted application. This manipulation causes the trusted application to perform a malicious action instead of its intended function. In the Android ecosystem, intents are the primary mechanism for inter-app communication and interaction with internal components. When a legitimate app dispatches an intent, the Android system honors its associated permissions. Attackers exploit this inherent trust to execute harmful operations under the guise of a legitimate application.

A malicious application initiates the attack by sending a specially crafted URI to the exposed MTCommonActivity. This activity then passes the URI through a method called processIntent(), which subsequently forwards it to processPlatformMessage(). Within this method, a field named n_intent_uri is extracted, used to construct a new intent, and then launched using the trusted application’s permissions. Crucially, because the SDK applies the URI_ALLOW_UNSAFE flag, the malicious input can carry read and write permission flags, granting persistent access to the target app’s private storage. This allows attackers to silently exfiltrate sensitive data, including wallet credentials, private keys, and other financial information stored within the application.

What You Should Do

  • Developers: Immediately upgrade EngageLab SDK to version 5.2.1 or later.
  • Developers: After each project build, carefully review the merged Android manifest for any newly introduced exported activities or unexpected permissions from third-party libraries.
  • Developers: Always validate intent data originating from outside your application before use.
  • Users: While Android has deployed automatic mitigations and vulnerable apps have been removed from Google Play, ensure all your apps are updated to their latest versions.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitSecurityVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Fake BTS Tour Sites Deliver Malware, Scam Fans Globally

Next Post

Storm-2755 Uses AiTM Session Hijacking to Redirect Employee Salaries

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Critical Claude Cowork Sandbox Vulnerability Lets Attackers Run Commands as Root
July 2, 2026
Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us