Microsoft Discovers Critical Flaw Affecting Android Cryptocurrency Wallets
Critical Vulnerability Found in Android Crypto Wallet Apps
A critical vulnerability has been discovered in a widely used Android Software Development Kit (SDK), potentially exposing millions of users of cryptocurrency wallet applications to sensitive data.
The SDK, developed by EngageLab, manages messaging and push notifications in mobile applications and is integrated by developers into Android apps as a dependency.
The vulnerability, identified by Microsoft security researchers, allows an attacker to manipulate the contents of an intent sent by vulnerable applications, enabling them to bypass the Android security sandbox and access sensitive data, including personal information, user credentials, and financial information.
This is achieved by exploiting a redirection flaw in the SDK, which interacts with Android intents that enable interaction between different applications and data sharing between the components of the same application.
Microsoft notified EngageLab developers of the vulnerability in April 2025 and also informed the Android Security Team due to the impact on apps distributed through Google Play.
The company emphasized that while this vulnerability was introduced by a third-party SDK, Android’s existing layered security model provides additional mitigations against its exploitation.
EngageLab released a patched version of the SDK, 5.2.1, in early November 2025.
However, prior to this, all detected crypto wallet apps using vulnerable versions of the SDK had been removed from Google Play.
Microsoft urges developers to ensure that they are using the latest version of the SDK.
In contrast to earlier reports, t
About Author
English