Microsoft security researchers discovered that a third-party Android SDK widely used in cryptocurrency wallet applications is affected by a severe vulnerability that could expose highly sensitive information.
The vulnerability was found in EngageLab’s EngageSDK, which is designed for managing messaging and push notifications in mobile applications.
According to Microsoft, the SDK, which is integrated by developers into Android apps as a dependency, is used by crypto wallet apps that have a total of more than 30 million installations.
Unpatched versions of EngageSDK are affected by a vulnerability related to Android intents, which enable interaction between different applications and data sharing between the components of the same application.
Microsoft researchers identified an intent redirection flaw that enables an attacker to manipulate the contents of an intent sent by vulnerable applications.
An attacker can use a malicious app running on the targeted device to send specially crafted intents that leverage the vulnerable app to bypass the Android security sandbox and gain access to sensitive data, including personal information, user credentials, and financial information.
Microsoft notified EngageLab developers in April 2025. The Android Security Team was also informed the next month due to the vulnerability affecting apps distributed through Google Play.
“While this is a vulnerability introduced by a third-party SDK, Android’s existing layered security model is capable of providing additional mitigations against exploitation of vulnerabilities through intents,” Microsoft explained.
The company said all of the detected crypto wallet apps using vulnerable versions of the SDK have been removed from Google Play. In addition, the mitigations implemented by Android should protect users who previously downloaded an affected application.
A patch was rolled out by EngageLab in early November 2025 with the release of version 5.2.1. Microsoft has now made public technical details, urging developers to ensure that they are using the latest version of the SDK.
The tech giant found no evidence of exploitation in the wild.
Related: Google API Keys in Android Apps Expose Gemini Endpoints to Unauthorized Access
Related: Severe StrongBox Vulnerability Patched in Android
Related: Android 17 Beta Strengthens Secure-by-Default Design for Privacy and App Security
