Microsoft Finds Vulnerability Exposing Millions of Android Crypto Wallet Users

Summary

Microsoft security researchers identified a severe vulnerability in EngageLab's EngageSDK, a third-party Android SDK used by cryptocurrency wallet apps with over 30 million installations. The intent redirection flaw allows attackers to manipulate intents and bypass Android's security sandbox to access sensitive data including credentials and financial information. EngageLab released a patch (version 5.2.1) in November 2025, and Microsoft found no evidence of active exploitation.

Full text

Microsoft security researchers discovered that a third-party Android SDK widely used in cryptocurrency wallet applications is affected by a severe vulnerability that could expose highly sensitive information. The vulnerability was found in EngageLab’s EngageSDK, which is designed for managing messaging and push notifications in mobile applications. According to Microsoft, the SDK, which is integrated by developers into Android apps as a dependency, is used by crypto wallet apps that have a total of more than 30 million installations. Unpatched versions of EngageSDK are affected by a vulnerability related to Android intents, which enable interaction between different applications and data sharing between the components of the same application. Microsoft researchers identified an intent redirection flaw that enables an attacker to manipulate the contents of an intent sent by vulnerable applications. An attacker can use a malicious app running on the targeted device to send specially crafted intents that leverage the vulnerable app to bypass the Android security sandbox and gain access to sensitive data, including personal information, user credentials, and financial information. Advertisement. Scroll to continue reading. Microsoft notified EngageLab developers in April 2025. The Android Security Team was also informed the next month due to the vulnerability affecting apps distributed through Google Play. “While this is a vulnerability introduced by a third-party SDK, Android’s existing layered security model is capable of providing additional mitigations against exploitation of vulnerabilities through intents,” Microsoft explained. The company said all of the detected crypto wallet apps using vulnerable versions of the SDK have been removed from Google Play. In addition, the mitigations implemented by Android should protect users who previously downloaded an affected application. A patch was rolled out by EngageLab in early November 2025 with the release of version 5.2.1. Microsoft has now made public technical details, urging developers to ensure that they are using the latest version of the SDK. The tech giant found no evidence of exploitation in the wild. Related: Google API Keys in Android Apps Expose Gemini Endpoints to Unauthorized Access Related: Severe StrongBox Vulnerability Patched in Android Related: Android 17 Beta Strengthens Secure-by-Default Design for Privacy and App Security Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs $3.6 Million Stolen in Bitcoin Depot HackData Leakage Vulnerability Patched in OpenSSLMassachusetts Hospital Diverts Ambulances as Cyberattack Causes Disruption US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS HijackingSevere StrongBox Vulnerability Patched in AndroidGPUBreach: Root Shell Access Achieved via GPU Rowhammer Attack White House Seeks to Slash CISA Funding by $707 MillionWynn Resorts Says 21,000 Employees Affected by ShinyHunters Hack Latest News Google Rolls Out Cookie Theft Protections in ChromeApple Intelligence AI Guardrails Bypassed in New AttackCan We Trust AI? No – But Eventually We MustGoogle API Keys in Android Apps Expose Gemini Endpoints to Unauthorized AccessPalo Alto Networks, SonicWall Patch High-Severity VulnerabilitiesThe Hidden ROI of Visibility: Better Decisions, Better Behavior, Better SecurityGoogle Warns of New Campaign Targeting BPOs to Steal Corporate DataAdobe Reader Zero-Day Exploited for Months: Researcher Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveFinite State has named Ann Miller as Vice President of Marketing.Yael Nardi has joined Minimus as Chief Business Officer.John Clancy has become Chief Executive Officer at Bitsight.More People On The MoveExpert Insights The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — EngageLab EngageSDK (vulnerable versions before 5.2.1)

Entities