Critical Android SDK Vulnerability Threatens Over 30 Million Crypto Wallets

A severe security vulnerability discovered in a widely used Android Software Development Kit (SDK) has placed tens of millions of cryptocurrency wallets at immediate risk of data theft. The flaw, identified by Microsoft's Defender Security Research Team within EngageLab's EngageSDK, represents one of the most significant mobile security threats to the crypto ecosystem in recent years.

The vulnerability, an intent redirection flaw in the SDK's MTCommonActivity component, allows a malicious app installed on the same device to bypass Android's security sandbox. This grants unauthorized access to the private storage of affected wallet applications, potentially exposing Personally Identifiable Information (PII), cached authentication credentials, financial data like wallet addresses and transaction histories, and, in the worst case, seed phrases and private keys.

Microsoft disclosed the flaw to EngageLab in April 2025 through coordinated vulnerability disclosure. The SDK developer issued a patch in version 5.2.1, released on November 3, 2025, which set the vulnerable activity to 'non-exported'. Google's Android Security Team was involved, and all detected vulnerable apps have been removed from the Google Play Store.

The scale of exposure is staggering, with the report indicating over 30 million installations of cryptocurrency wallet apps alone were running the vulnerable code. The total exposure across all app categories exceeded 50 million installs. The SDK is commonly integrated by developers to handle in-app messaging and push notifications, often without a full review of the components it injects into the final app build.

While no active exploits have been detected, the publication of the vulnerability details increases the risk. Security experts urge developers to immediately update to the patched SDK version and conduct security audits. For users, the critical recommendations are to update all cryptocurrency wallet apps from the Google Play Store immediately, avoid storing large amounts of crypto in mobile-exclusive wallets, and consider using hardware wallets for cold storage.