Security

Android SDK Vulnerability Exposed Millions of Wallets

3 min read

Summary

Microsoft disclosed a severe intent redirection flaw in the third-party EngageSDK for Android, putting millions of crypto wallet users at potential risk of data exposure and privilege escalation. The issue was fixed in EngageSDK version 5.2.1, and the case highlights the growing security risk of opaque mobile app supply-chain dependencies.

Audio Summary

0:00--:--
Need help with Security?Talk to an Expert

Introduction

Microsoft has disclosed a severe Android security issue in a widely used third-party library, EngageSDK. While the flaw was not found to be exploited in the wild, it affected apps installed at massive scale and serves as a reminder that third-party SDKs can quietly introduce major supply-chain risk into otherwise trusted mobile apps.

What happened

The vulnerability is an intent redirection flaw in EngageSDK, a library used for messaging and push notifications in Android apps.

Key details include:

  • The issue allowed a malicious app on the same device to abuse the vulnerable app’s trusted context.
  • This could potentially lead to unauthorized access to protected components, sensitive data exposure, and privilege escalation.
  • Microsoft said more than 30 million installations of third-party crypto wallet apps alone were potentially exposed to risk.
  • The flaw was traced to an exported Android activity, MTCommonActivity, added through the SDK during the build process.
  • Because it appears in the merged manifest post-build, developers may miss it during normal review.

Microsoft coordinated disclosure with EngageLab and the Android Security Team. The issue was resolved in EngageSDK version 5.2.1 on November 3, 2025.

Why this matters for security teams

This disclosure is important beyond Android wallets. It shows how:

  • Third-party SDKs can expand the attack surface without clear visibility
  • Exported components can create unintended trust boundaries between apps
  • Mobile app supply-chain weaknesses can affect millions of users at once

Android has also added platform-level mitigations for this specific EngageSDK risk, and apps detected as vulnerable were removed from Google Play. Microsoft noted that users who had already downloaded vulnerable apps now have additional protection.

Impact on administrators and developers

For security administrators, this is a strong example of why mobile application governance must include dependency review, not just app reputation or store approval.

For developers and DevSecOps teams, the biggest lessons are:

  • Review merged Android manifests, not only source manifests
  • Audit exported activities and other exposed components
  • Validate intent handling and cross-app trust assumptions
  • Track third-party SDK versions as part of software supply-chain management
  • Upgrade EngageSDK immediately to version 5.2.1 or later if it is present in any Android apps.
  • Review mobile apps for exported components added by dependencies.
  • Add dependency and manifest analysis to CI/CD security checks.
  • Use Microsoft’s detection guidance and indicators from the original advisory to assess exposure.

This incident reinforces a broader point: mobile security is increasingly shaped by the libraries apps depend on, not just the code developers write directly.

Need help with Security?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

Read the original article by Microsoft Defender Security Research Team
Android securitymobile app securitythird-party SDKcrypto walletsMicrosoft Defender

Related Posts

Security

@antv npm Attack Hits CI/CD Secrets and Tokens

Microsoft has disclosed an active supply chain attack involving compromised @antv npm packages that used malicious preinstall scripts to steal credentials from GitHub Actions and other CI/CD environments. The campaign matters because it spread through popular downstream dependencies, putting developer pipelines, cloud secrets, and software supply chains at risk.

Security

Microsoft Gaming Security: Key Risks and Defenses

Microsoft’s latest Deputy CISO post explains why securing gaming requires a different approach than traditional enterprise IT. The company outlines the distinct risks across gaming platforms, studios, and shared central teams, and highlights how Entra ID, Purview, Defender for Cloud, and Sentinel help balance security with player experience and developer agility.

Security

Microsoft RAMPART and Clarity Open-Sourced

Microsoft has open-sourced RAMPART and Clarity, two tools aimed at improving safety in agentic AI development. RAMPART brings repeatable adversarial and regression testing into CI pipelines, while Clarity helps teams challenge design assumptions early before code is written.

Security

Fox Tempest Malware Signing Service Disrupted

Microsoft has disrupted Fox Tempest, a malware-signing-as-a-service operation that helped cybercriminals make ransomware and other malware appear legitimately signed. The takedown matters because the group abused Microsoft Artifact Signing, created more than 1,000 fraudulent certificates, and enabled attacks that could bypass security controls more easily.

Security

Storm-2949 Cloud Breach: Entra ID to Azure Attack

Microsoft detailed how Storm-2949 turned a socially engineered Microsoft Entra ID compromise into broad data theft across Microsoft 365 and Azure. The case highlights how identity attacks can escalate quickly through legitimate cloud management features, making stronger MFA controls, monitoring, and cross-platform detections critical for defenders.

Security

Microsoft Security for SMBs in an AI-Powered World

Microsoft is urging small and medium businesses to treat cybersecurity as a core business risk as AI makes phishing, malware, and identity attacks faster and more effective. The company highlights Microsoft 365 Business Premium and integrated security controls as a practical way for growing businesses to protect users, devices, email, and cloud apps without adding major complexity.