EngageLab Flaw Opened 30M Wallet Apps to Android Data Theft: Microsoft
Microsoft disclosed a critical vulnerability in the EngageLab Android SDK used by over 30 million crypto wallet apps, which allowed malicious apps to bypass sandbox protections and access private wallet data. Google Play has removed affected apps, and EngageLab patched the flaw in version 5.2.1 by securing the vulnerable activity. This incident highlights significant security risks in widely used crypto wallet SDKs and prompts stronger safeguards in Android.
TLDR: Microsoft found the EngageLab SDK bug could expose private wallet data across 30M Android installs globally. The flaw abused Android intents to grant hostile apps persistent read and write provider permissions. EngageLab fixed the issue in v5.2.1 by changing MTCommonActivity to non-exported status. Google Play removed affected wallet apps, while Android added safeguards for already installed versions. Microsoft has disclosed a severe Android SDK vulnerability that placed more than 30 million crypto wallet installs at risk. The flaw affected EngageLab’s widely used EngageSDK, which many wallet apps used for push messaging features. According to Microsoft’s security research, the issue enabled malicious apps on the same device to bypass sandbox protections. Google Play has since removed all identified apps using the vulnerable SDK versions. EngageLab Android SDK Flaw Exposed Crypto Wallet Attack Surface Microsoft said the issue centered on an exported Android activity called MTCommonActivity. The component was automatically added during manifest merging after developers imported the SDK. Because it appeared post-build, many teams likely missed it during review. That left production APKs open to hidden risk. The vulnerable flow began when the activity received an external intent. Its onCreate() and onNewIntent() callbacks both routed data into processIntent(). That method extracted a URI string and forwarded it deeper into the SDK logic. The chain eventually rebuilt and launched a new intent. Microsoft’s write-up noted the critical failure happened in a helper method. Instead of returning a safe implicit intent, it returned an explicitly targeted one. That changed Android’s normal resolution path and let hostile apps redirect execution. In practice, the vulnerable wallet app launched the malicious payload with its own privileges. The risk worsened because the SDK used Android’s URI_ALLOW_UNSAFE flag. That allowed persistent read and write URI permissions insid...
Comments
Log in to comment