EngageSDK Vulnerability puts millions of crypto wallets at risk
A recently identified flaw in the popular Android library EngageSDK has sparked serious worries within the cryptocurrency sector, potentially endangering millions of users to data breaches and illicit entry.
Security experts uncovered a critical “intent redirection” flaw in EngageSDK, a third-party Android SDK widely used for push notifications and in-app communication.
This flaw enables harmful applications on the same device to circumvent Android’s isolation mechanisms and interact with sensitive parts of other applications.
This issue is especially concerning as many impacted apps are cryptocurrency wallets. Analysts calculate that over 30 million wallet installations and more than 50 million total app installations were affected by compromised SDK versions.

While there’s no confirmed case of active misuse, the vulnerability’s design allows attackers to potentially obtain personally identifiable information (PII), login details, and even financial assets.
Attack Mechanism Breakdown
Android enforces app separation via a sandbox system, granting each app its own identity and limiting access to private data. However, apps communicate through “intents,” which are action-triggering messages.
The EngageSDK flaw exploits this communication framework.
- A hostile app transmits a custom intent with a manipulated URI.
- The compromised app processes this intent via EngageSDK’s public activity (MTCommonActivity).
- The SDK then unintentionally alters the intent’s permissions.
- This enables the attacker to access safeguarded sections or information in the targeted app.

For instance, a malicious application could deceive a crypto wallet into providing unrestricted read/write access to its storage, revealing wallet balances or authentication tokens without user consent.
The flaw stems from an exported activity that the SDK automatically generates during compilation. Since this component appears only in the combined Android manifest, many developers overlook it during app development.
Worse, the SDK handles unvalidated input and constructs a new intent using risky permissions, like those enabling ongoing read/write access.
The processPlatformMessage() method constructs a JSON object using the uri string provided to it.

Instead of creating a harmless implicit intent, the SDK generates an explicit one targeting sensitive components, effectively allowing privilege escalation.
Correction and Disclosure Details
Microsoft researchers identified the issue in EngageSDK version 4.5.4 and disclosed it in April 2025 through coordinated reporting. The flaw was later resolved in version 5.2.1, released on November 3, 2025.
The fix deactivates the vulnerable component by marking it as non-exported, preventing external apps from accessing it.

Exploitation begins when a malicious app constructs an intent with a modified URI in the additional data field. The compromised app then processes this URI, generating and transmitting an intent with its own permissions.
Google has since removed affected apps from the Play Store, and Android has added enhanced runtime defenses to reduce exploitation risks on user devices.
This event underscores a growing threat in app development: third-party SDK risks. Even robust applications can become vulnerable if their integrated libraries contain hidden or insecure elements.
In high-stakes areas like cryptocurrency, such flaws can have widespread impacts. A single defective SDK can quietly expand attack surfaces across millions of devices.
Developers must urgently update to EngageSDK version 5.2.1 or newer and inspect their apps for unintended exported parts. Examining the merged Android manifest is crucial to detect hidden risks from dependencies.
Currently, users are safeguarded by Google Play’s policies and Android security patches, but maintaining app updates is still vital.
This situation highlights that supply chain security is now a key challenge in mobile environments, where a single overlooked vulnerability can affect millions of users.