Microsoft security researchers have disclosed a critical intent-redirection vulnerability in the widely deployed EngageLab Android SDK, a third-party push notification library integrated into dozens of applications on the Google Play Store.
The flaw, which bypasses Android’s core application sandbox, exposed sensitive user data, including personally identifiable information (PII), credentials, and financial assets across more than 50 million device installations, with cryptocurrency wallet apps alone accounting for over 30 million of those.
The vulnerability was discovered during routine security research and has since been patched in EngageLab SDK version 5.2.1, released November 3, 2025. All affected apps identified on Google Play have been removed from the platform pending developer updates.
Android applications communicate internally and with one another through a messaging mechanism called intents. The Android operating system assigns each app a unique user ID. It runs it inside an isolated sandbox, meaning apps are ordinarily prohibited from accessing each other’s private data without explicit permission.
Intent redirection exploits this trust mechanism. When a threat actor manipulates the contents of an intent that a vulnerable app processes, they can hijack that app’s trusted identity and elevated permissions to execute arbitrary actions, including accessing protected components, reading or writing private storage, and escalating privileges within the Android environment. The Android Security Team classifies intent redirection vulnerabilities as severe, and flags affected apps for enforcement action.
The Vulnerable Component: MTCommonActivity
Microsoft researchers pinpointed the flaw in an exported activity called MTCommonActivity, which is automatically injected into an application’s Android manifest during the SDK’s build process. Because it only appears in the post-build merged manifest, it frequently escapes developer review but remains fully exploitable in the final APK.
When an activity is declared as exported In the Android manifest, any app installed on the same device can send an intent directly to it. MTCommonActivity receives such intents and routes them through a processIntent() method, invoked by both the onCreate() and onNewIntent() lifecycle callbacks.
The processIntent() The method extracts a URI from the incoming intent’s data field and passes it to processPlatformMessage(), which parses it as a JSON object.
If a field named n_intent_uri is detected in the JSON, the code creates a NotificationMessage object, populates its intentUri field, and eventually calls startActivity() to dispatch a newly constructed intent under the vulnerable app’s identity.
How the Exploit Chains Together
The critical method responsible for intent construction, referred to internally as a(), contains a subtle but dangerous design flaw. While it superficially appears to sanitize the incoming intent by calling setComponent(null) to convert it into a harmless implicit intent.
It simultaneously instantiates a second intent variable that retains an explicit component target. It is this explicitly targeted intent, not the sanitized one, that gets returned and dispatched.
Making matters worse, the parseUri() call within this method uses the URI_ALLOW_UNSAFE flag (constant value 4), which opens a pathway to the vulnerable app’s content providers. An attacker-controlled URI can embed the following permission flags:
FLAG_GRANT_PERSISTABLE_URI_PERMISSIONFLAG_GRANT_READ_URI_PERMISSIONFLAG_GRANT_WRITE_URI_PERMISSION
When these flags are combined, the malicious app receives persistent read and write access to the target app’s private storage, including content providers that are not exported, until the target app explicitly revokes the grant. The result is full unauthorized access to the application’s internal directory, including stored credentials, session tokens, and financial data.
Scale of Exposure: Crypto Wallets in the Crosshairs
The breadth of this vulnerability is compounded by the sectors in which the EngageLab SDK was most heavily adopted. Cryptocurrency wallets and digital asset management apps represented the largest category of affected applications. These apps routinely store private keys, seed phrases, and user authentication data, making them extraordinarily high-value targets for data theft and financial fraud.
Microsoft confirmed the vulnerability across multiple apps on Google Play before notifying the vendor. Wallet applications alone accounted for more than 30 million installations; when factoring in non-wallet apps built on the same SDK, total device exposure exceeded 50 million installations.
Coordinated Disclosure and Patch Timeline
Microsoft followed its Coordinated Vulnerability Disclosure (CVD) process via Microsoft Security Vulnerability Research (MSVR) to responsibly report the issue.
- April 2025 – Vulnerability identified in EngageLab SDK v4.5.4; reported directly to EngageLab
- May 2025 – Issue escalated to the Android Security Team due to affected apps distributed via Google Play
- November 3, 2025 – EngageLab released SDK v5.2.1, resolving the flaw by setting MTCommonActivity to
non-exported, blocking external app access
Google has additionally updated its automatic user protections within Android to provide platform-level mitigations against this specific vulnerability class while developers migrate to the patched SDK version. These platform safeguards protect users who previously downloaded a vulnerable app.
Mitigation Guidance for Developers
Microsoft and Google strongly urge all developers who have integrated the EngageLab SDK to upgrade to version 5.2.1 or later immediately. Beyond this specific patch, researchers issued broader recommendations for any team using third-party Android SDKs:
- Always review the merged Android manifest after building, not just the source manifest, to identify components or permissions added by upstream libraries
- Audit all exported activities and services for intent handling logic that processes untrusted URI data
- Apply Android’s security best practices when implementing content providers, particularly around URI permission delegation
- Restrict
parseUri()usage and avoidURI_ALLOW_UNSAFEunless necessary
The Bigger Supply-Chain Picture
This case underscores a growing risk in the mobile app ecosystem: developers increasingly rely on third-party SDKs to accelerate feature delivery, but these integrations often introduce opaque attack surfaces that are difficult to audit. A single vulnerable SDK component embedded across dozens of apps can expose tens of millions of users simultaneously.
At the time of disclosure, Microsoft stated that it had found no evidence of active exploitation in the wild. However, given the financial sensitivity of the affected applications and the severity of the access granted through exploitation, organizations and developers should treat this as a high-priority remediation item.
FAQ 1: What is the EngageLab SDK intent redirection vulnerability, and who is affected?
A flaw in the EngageLab SDK’s exported MTCommonActivity allowed malicious apps to hijack trusted app permissions, exposing 5theprivate data, credentials, and crypto assets. of 50M+ Android users
FAQ 2: Has this vulnerability been actively exploited in the wild?
As of the disclosure date, Microsoft confirmed there is no evidence of active exploitation, though the high value of affected crypto wallet apps makes them a critical patching priority.
FAQ 3: Am I still at risk if I already have a vulnerable app installed?
No Android’s updated automatic user protections and the removal of all vulnerable apps from Google Play ensure existing users are shielded while developers migrate to the patched SDK.
FAQ 4: What should developers do to fix this vulnerability in their apps?
Upgrade immediately to EngageLab SDK v5.2.1 and audit the merged Android manifest post-build to detect and restrict any SDK-injected exported components before shipping.
Site: thecybrdef.com
About the Author
