Intent redirection vulnerability in third-party SDK exposed millions of Android wallets to potential risk

Microsoft researchers discovered a critical intent-redirection vulnerability in EngageSDK, a widely deployed third-party Android SDK, exposing over 30 million crypto wallet application installations to potential data theft. The flaw allowed malicious apps on the same device to bypass Android's security sandbox and gain unauthorized access to PII, user credentials, and financial data. Following coordinated disclosure with EngageLab and the Android Security Team, the vulnerability was patched in version 5.2.1 on November 3, 2025. All detected apps using vulnerable versions were removed from Google Play. No evidence of in-wild exploitation was found at time of writing. Android has implemented additional automatic protections while developers update to the secure SDK version. Organizations are advised to audit third-party SDK dependencies and validate exported components to prevent similar supply-chain vulnerabilities.

A severe Android intent‑redirection vulnerability in a widely deployed SDK exposed sensitive user data across millions of apps. Microsoft researchers detail how the flaw works, why it matters, and how developers can mitigate similar risks by updating affected SDKs. The post Intent redirection vulnerability in third-party SDK exposed millions of Android wallets to potential risk appeared first on Microsoft Security Blog .

Microsoft researchers discovered a critical intent-redirection vulnerability in EngageSDK, a widely deployed third-party Android SDK, exposing over 30 million crypto wallet application installations to potential data theft. The flaw allowed malicious apps on the same device to bypass Android's security sandbox and gain unauthorized access to PII, user credentials, and financial data. Following coordinated disclosure with EngageLab and the Android Security Team, the vulnerability was patched in version 5.2.1 on November 3, 2025. All detected apps using vulnerable versions were removed from Google Play. No evidence of in-wild exploitation was found at time of writing. Android has implemented additional automatic protections while developers update to the secure SDK version. Organizations are advised to audit third-party SDK dependencies and validate exported components to prevent similar supply-chain vulnerabilities. A severe Android intent‑redirection vulnerability in a widely deployed SDK exposed sensitive user data across millions of apps. Microsoft researchers detail how the flaw works, why it matters, and how developers can mitigate similar risks by updating affected SDKs. The post Intent redirection vulnerability in third-party SDK exposed millions of Android wallets to potential risk appeared first on Microsoft Security Blog . In this article Technical details Disclosure timeline Mitigation and protection guidance References Learn more During routine security research, we identified a severe intent redirection vulnerability in a widely used third-party Android SDK called EngageSDK. This flaw allows apps on the same device to bypass Android security sandbox and gain unauthorized access to private data. With over 30 million installations of third-party crypto wallet applications alone, the exposure of PII, user credentials and financial data were exposed to risk. All of the detected apps using vulnerable versions have been removed from Google Play. Following our Coordinated Vulnerability Disclosure practices (via Microsoft Security Vulnerability Research), we notified EngageLab and the Android Security Team. We collaborated with all parties to investigate and validate the issue, which was resolved as of November 3, 2025 in version 5.2.1 of the EngageSDK. This case shows how weaknesses in third‑party SDKs can have large‑scale security implications, especially in high‑value sectors like digital asset management. As of the time of writing, we are not aware of any evidence indicating that this vulnerability has been exploited in the wild. Nevertheless, we strongly recommend that developers who integrate the affected SDK upgrade to the latest available version. While this is a vulnerability introduced by a third-party SDK, Android’s existing layered security model is capable of providing additional mitigations against exploitation of vulnerabilities through intents. Android has updated these automatic user protections to provide additional mitigation against the specific EngageSDK risks described in this report while developers update to the non-vulnerable version of EngageSDK. Users who previously downloaded a vulnerable app are protected. In this blog, we provide a technical analysis of a vulnerability that bypasses core Android security mechanisms. We also examine why this issue is significant in the current landscape: apps increasingly rely on third‑party SDKs, creating large and often opaque supply‑chain dependencies. As mobile wallets and other high‑value apps become more common, even small flaws in upstream libraries can impact millions of devices. These risks increase when integrations expose exported components or rely on trust assumptions that aren’t validated across app boundaries. Because Android apps frequently depend on external libraries, insecure integrations can introduce attack surfaces into otherwise secure applications. We provide resources for three key audiences: Developers: In addition to the best practices Android provides its developers, we provide practical guidance on identifying and preventing similar flaws, including how to review dependencies and validate exported components. Researchers: Insights into how we discovered the issue and the methodology we used to confirm its impact. General readers: An explanation of the implications of this vulnerability and why ecosystem‑wide vigilance is essential. This analysis reflects Microsoft’s visibility into cross‑platform security threats. We are committed to safeguarding users, even in environments and applications that Microsoft does not directly build or operate. You can find a detailed set of recommendations, detection guidance and indicators at the end of this post to help you assess exposure and strengthen protections. Technical details The Android operating system integrates a variety of security mechanisms, such as memory isolation, filesystem discretionary and mandatory access controls (DAC/MAC), biometric authentication, and...