Critical EngageSDK Flaw Exposes Millions of Crypto Wallet Users
Key Takeaways A critical intent redirection vulnerability (CVE-202X-XXXX) was discovered in EngageSDK, an Android library used for push notifications and messaging. The flaw exposed over 30 million...
Key Takeaways
- A critical intent redirection vulnerability (CVE-202X-XXXX) was discovered in EngageSDK, an Android library used for push notifications and messaging.
- The flaw exposed over 30 million cryptocurrency wallet users and more than 50 million total app installations to potential data theft.
- Malicious applications could exploit the vulnerability to bypass Android’s sandbox, gaining unauthorized read/write access to sensitive data within affected apps.
- EngageLab released a fix in version 5.2.1 of the SDK, and Google has removed all confirmed vulnerable apps from Google Play while also deploying automatic mitigations.
EngageSDK Flaw Jeopardizes Millions of Crypto Wallet Users
A significant security vulnerability within EngageSDK, a widely adopted Android library, has put more than 30 million cryptocurrency wallet users at risk of financial asset theft and personal data compromise. The flaw, identified as an intent redirection vulnerability, could allow malicious applications on the same device to circumvent Android’s security mechanisms and access private user information without authorization.
Table Of Content
Given that crypto wallets manage real financial assets, the implications of such a vulnerability extend far beyond typical privacy concerns, posing a direct threat to users’ digital wealth.
Understanding EngageSDK and the Vulnerability
EngageSDK is a third-party software development kit developed by EngageLab. Its primary function is to enable Android developers to integrate push notifications and real-time messaging capabilities into their applications. Developers incorporate this SDK as a dependency, making it an integral part of the application’s runtime environment. Consequently, a single vulnerability within the SDK can simultaneously endanger every application built upon it, rather than being confined to one.
During a routine security audit, the Microsoft Defender Security Research Team identified the vulnerability. They pinpointed the flaw within an exported activity named MTCommonActivity. This activity is silently added to an application’s merged Android manifest during the build process, meaning it does not appear in the original source code but is present in the final compiled output. This often leads to developers overlooking and failing to protect the activity. Once an app is installed, this activity becomes accessible to any other application running on the device.
The scale of exposure is particularly alarming. Crypto wallet applications alone accounted for over 30 million installations, and when other applications leveraging the same SDK were included, the total number of affected installations surpassed 50 million. All applications confirmed to be running vulnerable versions have since been removed from Google Play. As of this report, there is no confirmed evidence that this vulnerability has been actively exploited in attacks.
The flaw was initially discovered in version 4.5.4 of the EngageLab SDK in April 2025. Microsoft reported it to EngageLab following Coordinated Vulnerability Disclosure (CVD) protocols under Microsoft Security Vulnerability Research (MSVR). The issue was subsequently escalated to the Android Security Team in May 2025. EngageLab issued a patch in version 5.2.1 on November 3, 2025, which mitigated the exposure by configuring the vulnerable activity as non-exported.
How the Intent Redirection Attack Works
Intent redirection is an attack technique where an attacker manipulates the content of a message, known as an “intent,” sent by a trusted application. This manipulation causes the trusted application to perform a malicious action instead of its intended function. In the Android ecosystem, intents are the primary mechanism for inter-app communication and interaction with internal components. When a legitimate app dispatches an intent, the Android system honors its associated permissions. Attackers exploit this inherent trust to execute harmful operations under the guise of a legitimate application.
A malicious application initiates the attack by sending a specially crafted URI to the exposed MTCommonActivity. This activity then passes the URI through a method called processIntent(), which subsequently forwards it to processPlatformMessage(). Within this method, a field named n_intent_uri is extracted, used to construct a new intent, and then launched using the trusted application’s permissions. Crucially, because the SDK applies the URI_ALLOW_UNSAFE flag, the malicious input can carry read and write permission flags, granting persistent access to the target app’s private storage. This allows attackers to silently exfiltrate sensitive data, including wallet credentials, private keys, and other financial information stored within the application.
What You Should Do
- Developers: Immediately upgrade EngageLab SDK to version 5.2.1 or later.
- Developers: After each project build, carefully review the merged Android manifest for any newly introduced exported activities or unexpected permissions from third-party libraries.
- Developers: Always validate intent data originating from outside your application before use.
- Users: While Android has deployed automatic mitigations and vulnerable apps have been removed from Google Play, ensure all your apps are updated to their latest versions.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.