Version 5.2.1 of the EngageSDK has recently been released, shedding light on the potential security vulnerabilities that can arise from third-party SDKs, particularly in high-stakes sectors such as digital asset management. While there is currently no evidence suggesting that this vulnerability has been exploited in real-world scenarios, developers integrating the affected SDK are strongly encouraged to upgrade to the latest version to safeguard their applications.
Android’s layered security model offers some protections against the exploitation of vulnerabilities through intents. The Android team has proactively updated user protections to mitigate the specific risks associated with EngageSDK while developers transition to the secure version. Users who have previously downloaded apps utilizing the vulnerable SDK are also afforded a layer of protection.
This technical analysis delves into a vulnerability that circumvents core Android security mechanisms, highlighting its significance in a landscape where applications increasingly depend on third-party SDKs, creating complex and often opaque supply-chain dependencies. As mobile wallets and other high-value applications proliferate, even minor flaws in upstream libraries can affect millions of devices, particularly when integrations expose exported components or rely on unverified trust assumptions across app boundaries.
Given that Android applications frequently utilize external libraries, insecure integrations can inadvertently introduce attack surfaces into otherwise secure applications. To assist various stakeholders, we offer resources tailored for:
- Developers: Practical guidance on identifying and preventing similar flaws, including reviewing dependencies and validating exported components.
- Researchers: Insights into the discovery process and methodology used to assess the impact of the vulnerability.
- General readers: An overview of the implications of this vulnerability and the importance of ecosystem-wide vigilance.
This analysis reflects Microsoft’s commitment to addressing cross-platform security threats, ensuring user safety even in environments and applications not directly developed or operated by Microsoft. A comprehensive set of recommendations, detection guidance, and indicators is available at the end of this post to help assess exposure and enhance protections.
Technical details
The Android operating system employs various security mechanisms, including memory isolation, filesystem access controls, biometric authentication, and network traffic encryption. Each component operates within its own security framework, which may not always align seamlessly with others.
Unlike many operating systems where applications run with the user’s privileges, Android assigns a unique user ID to each app, executing it within a sandboxed environment. This design ensures that each app has a private directory for storing data, which is not accessible to other apps unless explicitly shared through content providers.
To facilitate communication between applications, Android utilizes intents. These intents enable inter-app messaging and interaction among components within the same application, as well as data sharing. However, the delivery of an intent depends on the identity and permissions of the sending application.
Intent redirection vulnerability
Intent Redirection occurs when a threat actor manipulates the contents of an intent sent by a vulnerable app, leveraging the app’s identity and permissions to execute a malicious payload. This exploitation can lead to:
- Unauthorized access to protected components
- Exposure of sensitive data
- Privilege escalation within the Android environment
The Android Security Team has classified this vulnerability as severe, with affected apps facing enforcement actions, including potential removal from the platform.
EngageLab SDK intent redirection
The EngageLab SDK is utilized by developers to manage messaging and push notifications within mobile applications. It acts as a library integrated into Android apps, providing APIs for communication tasks. A vulnerability was discovered in an exported activity, MTCommonActivity, which is added to an application’s Android manifest post-build, often overlooked by developers.
When an activity is declared as exported in the manifest, it becomes accessible to other applications on the same device, allowing them to send intents to this activity. The intent handling process in the vulnerable activity involves various lifecycle states, with both the onCreate() and onNewIntent() methods invoking the processIntent() method.
Within the processIntent() method, the handling of incoming intents can lead to the creation of a malicious intent if certain conditions are met, potentially granting unauthorized access to the application’s private data.
Affected applications
A significant number of applications utilizing this SDK are part of the cryptocurrency and digital wallet ecosystem, making the implications of this vulnerability particularly severe. Microsoft confirmed the flaw in multiple apps on the Google Play Store before notifying the vendor, with affected wallet applications alone accounting for over 30 million installations.
Disclosure timeline
The vulnerability was first identified in version 4.5.4 of the EngageLab SDK. Following Coordinated Vulnerability Disclosure practices, Microsoft reported the issue to EngageLab in April 2025 and subsequently notified the Android Security Team. EngageLab addressed the vulnerability in version 5.2.1, released on November 3, 2025, which set the vulnerable activity to non-exported, preventing invocation by other apps.
| Date | Event |
| April 2025 | Vulnerability identified in EngageLab SDK v4.5.4. Issue reported to EngageLab |
| May 2025 | Escalated the issue to the Android Security Team for affected applications distributed through the Google Play Store. |
| November 3, 2025 | EngageLab released v5.2.1, addressing the vulnerability |
Mitigation and protection guidance
Android developers utilizing the EngageLab SDK are strongly advised to upgrade to the latest version without delay. Our research indicates that integrating external libraries can inadvertently introduce features or components that may compromise application security. Regularly reviewing the merged Android manifest is essential to identify any components or permissions that could affect your app’s security posture.
Keep your users and applications secure
Strengthening mobile app defenses involves more than just understanding this vulnerability. Developers are encouraged to explore Microsoft’s Security Vulnerability Research program for further insights and protective measures.
References
[1] Mayrhofer, René, et al. The Android Platform Security Model (2023). ACM Transactions on Privacy and Security, vol. 24, no. 3, 2021, pp. 1–35. https://doi.org/10.48550/arXiv.1904.05572.
[2] https://developer.android.com/guide/components/intents-filters
[3] https://support.google.com/faqs/answer/9267555?hl=en
[4] https://www.engagelab.com/docs/
[5] <a href="https://developer.android.com/reference/android/content/Intent#FLAGGRANTPERSISTABLEURIPERMISSION”>https://developer.android.com/reference/android/content/Intent#FLAGGRANTPERSISTABLEURIPERMISSION
[6] <a href="https://developer.android.com/reference/android/content/Intent#URIALLOWUNSAFE”>https://developer.android.com/reference/android/content/Intent#URIALLOWUNSAFE
This research is provided by Microsoft Defender Security Research with contributions from Dimitrios Valsamaras and other members of Microsoft Threat Intelligence.
Learn more
Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.
