TL;DR
- Microsoft's security researchers uncovered a severe "intent redirection" vulnerability in EngageLabs EngageSDK, used by crypto wallets on Android
- Over 30 million crypto wallet installations were exposed — a total of over 50 million installations across all affected apps
- An updated version of the SDK (5.2.1) was not released until November 3, 2025 — seven months after discovery
- As of April 9, 2026, according to Microsoft, there is no known evidence that the vulnerability was actually exploited
Microsoft Uncovers Critical Vulnerability in Android SDK
Microsoft's Defender Security Research Team recently published findings from a security investigation conducted in April 2025. Researchers discovered a severe vulnerability in EngageLab's EngageSDK — a third-party library primarily used to handle push notifications and messaging functions in mobile apps.
The vulnerability, located in version 4.5.4 of the SDK, is classified as an "intent redirection" flaw. This means that a malicious app installed on the same device could potentially manipulate and redirect communication between apps — thereby gaining access to sensitive information normally protected by Android's security architecture.
In the worst case, attackers could have obtained private keys, seed phrases, and wallet addresses belonging to cryptocurrency users, according to Bitcoinist's coverage of the matter.
Massive Exposure — 50 Million Installations Total
The scope of the vulnerability is significant. Microsoft's researchers estimate that over 30 million crypto wallet installations alone used vulnerable versions of EngageSDK. Including other apps built with the same library, the total exposure figure rises to over 50 million installations.
Microsoft notified EngageLab of the finding in April 2025. The Android Security Team was also informed in May 2025, as the affected apps were distributed through Google Play. A patched version of the SDK — version 5.2.1 — was not available until November 3, 2025. The solution involved setting the vulnerable activity component to "non-exported," so it can no longer be activated by external apps.
No Known Attacks — But the Risk Was Real
It is important to emphasize that, as of April 9, 2026, Microsoft has found no evidence that the vulnerability was actually exploited in practice. This somewhat dampens the immediate alarm, but does not exempt the industry from learning from the incident.
All crypto wallets with vulnerable versions of EngageSDK have now been removed from Google Play. Google has also implemented additional protective measures for users who previously downloaded the affected applications.
Microsoft did not name the specific wallets that were affected but urges all developers using EngageLab's SDK to upgrade to version 5.2.1 or higher immediately.
Even small flaws in upstream libraries can affect millions of devices — the risk increases when integrations expose components without validation across app boundaries
A Structural Problem for the Entire Industry
The case highlights a known, but often underestimated, risk in the mobile ecosystem: the reliance on third-party libraries. Microsoft's researchers point out that Android apps are very often built on external libraries, and insecure integrations can introduce attack vectors into apps that are otherwise well-secured.
For the crypto industry, the implications are particularly serious. Wallets handle values that are directly accessible to anyone who obtains private keys — without the possibility of reversal or insurance coverage in most cases.
Advice for Users and Developers
Microsoft recommends the following measures:
- Users: Keep all apps updated and only download from official and reliable sources like Google Play
- Developers: Upgrade to EngageSDK version 5.2.1 or higher immediately if the library is in use
- General: Regularly conduct security assessments of all third-party libraries in applications that handle sensitive financial data
The case has been covered by Bitcoinist with reference to Microsoft's disclosure.
