Microsoft Finds Vulnerability Exposing Millions of Android Crypto Wallet Users

The discovery by Microsoft’s security team that EngageLab’s EngageSDK contains a critical intent‑redirection flaw has sent ripples through the mobile‑crypto ecosystem. EngageSDK, a messaging and push‑notification library, is embedded in more than 30 million installations of cryptocurrency wallet apps on Android, making the vulnerability a potential gateway to personal and financial data for a massive user base. Microsoft first alerted EngageLab in April 2025, and the Android Security Team followed shortly after, prompting a coordinated response across developers, Google Play, and the broader security community. The exposure highlights how SDK‑level bugs can cascade into user‑level breaches across the rapidly expanding crypto‑wallet market.

The flaw exploits Android intents, which facilitate inter‑process communication, by allowing a malicious app to craft an intent that the vulnerable wallet redirects to a privileged component. Once redirected, the attacker can breach the sandbox, harvest credentials, and exfiltrate transaction data without user interaction. Testing on emulated devices confirmed that the exploit can retrieve stored seed phrases, a critical asset for crypto holders. Although Google removed the affected apps from Play and EngageLab issued version 5.2.1 in November 2025, Android’s built‑in intent‑validation and permission checks provide an additional layer of defense for devices that have already installed the compromised versions.

For the broader fintech sector, the incident underscores the risk of relying on third‑party SDKs that handle sensitive operations. Developers are now urged to adopt rigorous supply‑chain security practices, including regular dependency audits, automated vulnerability scanning, and prompt patch deployment. Regulators may also tighten disclosure requirements for SDK‑related flaws, given the potential systemic exposure of crypto‑wallet users. Enterprises managing corporate crypto portfolios are especially advised to enforce strict SDK vetting to avoid operational risk. As Android continues to evolve its intent security model, proactive collaboration between platform owners, SDK vendors, and app developers will be essential to safeguard billions of dollars in digital assets.