EngageSDK Flaw Exposes 50 Million Android Users to Data Theft

In the high-stakes world of digital finance, the security of a mobile wallet is often only as strong as the third-party code running inside it. A recent investigation by the Microsoft Defender Security Research Team has uncovered a critical vulnerability in a widely used Android development kit that put tens of millions of users at risk.

The flaw was discovered in EngageSDK (formerly known as EngageLab SDK), a popular toolset integrated into a vast array of applications found on the Google Play Store.

At the center of the discovery is a “severe intent redirection vulnerability”. In the Android ecosystem, “intents” are the messaging objects used to request actions from other app components. However, when handled improperly, they can become a skeleton key for attackers.

According to the Microsoft report, “this flaw allows apps on the same device to bypass Android security sandbox and gain unauthorized access to private data”. By exploiting a vulnerable activity known as MTCommonActivity, a malicious app installed on a user’s phone could “trick” a legitimate app into handing over access to its private storage space.

The scale of the exposure is particularly alarming because of the types of applications that rely on this SDK. Researchers found that a significant number of affected apps were part of the cryptocurrency and digital-wallet ecosystem.

The impact breakdown is significant:

• Crypto Wallets: Over 30 million installations of third-party wallet applications were found to be vulnerable.
• Total Exposure: When including non-wallet apps, the total exposure climbed to over 50 million installations.
• Data at Stake: The vulnerability put PII (Personally Identifiable Information), user credentials, and sensitive financial data at immediate risk of theft.

Microsoft identified the vulnerability in version 4.5.4 of the SDK and worked closely with the developers at EngageLab and the Android Security Team to resolve the issue.

The solution arrived on November 3, 2025, with the release of EngageSDK version 5.2.1. The fix was elegantly simple but vital: “In the fixed version, the vulnerable activity is set to non-exported, which prevents it from being invoked by other apps”.

As of the report’s publication, Microsoft stated: “we are not aware of any evidence indicating that this vulnerability has been exploited in the wild”. Furthermore, all apps detected using the vulnerable versions have since been removed from the Google Play Store to protect users.

Microsoft’s team concludes that “this case shows how weaknesses in third-party SDKs can have large-scale security implications, especially in high-value sectors like digital asset management”.

If you are a developer using EngageSDK, the mandate is clear: upgrade to version 5.2.1 or later immediately to ensure your users’ “exported” data doesn’t become an open invitation for attackers.