ACCORDING to Microsoft Defender Security Research Team, a severe intent redirection vulnerability was found in a widely used third-party Android SDK called EngageLab SDK, allowing apps on the same device to bypass the Android security sandbox and access private data. The exposure affected millions of installations, with the wallets ecosystem alone accounting for more than 30 million installations and the total across vulnerable apps rising to over 50 million.
Following Coordinated Vulnerability Disclosure practices, Microsoft notified EngageLab and the Android Security Team, and the issue was resolved in version 5.2.1, released on 3 November 2025, where the vulnerable activity was set to non-exported. At the time of writing, there was no evidence that the vulnerability had been exploited in the wild, and apps using vulnerable versions had been removed from Google Play.
Android developers are urged to upgrade promptly to the latest version and to review merged manifests to prevent similar exposure. This case underscores how weaknesses in third-party SDKs can have large-scale security implications in high-value digital-asset ecosystems.