A flaw in EngageLab SDK exposed up to 50M Android users, including over 30M crypto wallet installs, by allowing apps to bypass Android sandbox protections and access private data. Microsoft researchers found the issue in EngageSDK and coordinated disclosure; developers fixed it in version 5.2.1 and vulnerable apps were removed from Google Play, with Wallet apps alone reaching more than 30 million installs and total exposure across affected apps exceeding 50 million.
The vulnerability stems from an exported component called MTCommonActivity added during the build process, which could be interacted with by any app on the device and used to read attacker‑controlled data and craft new intents that called internal components. An intent redirection flaw enabled a threat actor to run a malicious payload with the affected app’s privileges, potentially leading to unauthorized access to protected components, exposure of sensitive data, and privilege escalation.
Microsoft disclosed the issue in April 2025, with Android Security Team involvement in May due to Play Store impact, and the fix released on 3 November 2025. To help keep apps secure, the report urges developers to review merged Android manifests when incorporating third‑party SDKs. According to Microsoft, insecure integrations can introduce attack surfaces into otherwise secure applications.