Android SDK Vulnerability Exposed Millions of Wallets

Introduction

Microsoft has disclosed a severe Android security issue in a widely used third-party library, EngageSDK. While the flaw was not found to be exploited in the wild, it affected apps installed at massive scale and serves as a reminder that third-party SDKs can quietly introduce major supply-chain risk into otherwise trusted mobile apps.

What happened

The vulnerability is an intent redirection flaw in EngageSDK, a library used for messaging and push notifications in Android apps.

Key details include:

• The issue allowed a malicious app on the same device to abuse the vulnerable app’s trusted context.
• This could potentially lead to unauthorized access to protected components, sensitive data exposure, and privilege escalation.
• Microsoft said more than 30 million installations of third-party crypto wallet apps alone were potentially exposed to risk.
• The flaw was traced to an exported Android activity, MTCommonActivity, added through the SDK during the build process.
• Because it appears in the merged manifest post-build, developers may miss it during normal review.

Microsoft coordinated disclosure with EngageLab and the Android Security Team. The issue was resolved in EngageSDK version 5.2.1 on November 3, 2025.

Why this matters for security teams

This disclosure is important beyond Android wallets. It shows how:

• Third-party SDKs can expand the attack surface without clear visibility
• Exported components can create unintended trust boundaries between apps
• Mobile app supply-chain weaknesses can affect millions of users at once

Android has also added platform-level mitigations for this specific EngageSDK risk, and apps detected as vulnerable were removed from Google Play. Microsoft noted that users who had already downloaded vulnerable apps now have additional protection.

Impact on administrators and developers

For security administrators, this is a strong example of why mobile application governance must include dependency review, not just app reputation or store approval.

For developers and DevSecOps teams, the biggest lessons are:

• Review merged Android manifests, not only source manifests
• Audit exported activities and other exposed components
• Validate intent handling and cross-app trust assumptions
• Track third-party SDK versions as part of software supply-chain management

Recommended next steps

• Upgrade EngageSDK immediately to version 5.2.1 or later if it is present in any Android apps.
• Review mobile apps for exported components added by dependencies.
• Add dependency and manifest analysis to CI/CD security checks.
• Use Microsoft’s detection guidance and indicators from the original advisory to assess exposure.

This incident reinforces a broader point: mobile security is increasingly shaped by the libraries apps depend on, not just the code developers write directly.