Microsoft discovered a serious security vulnerability in EngageLab’s software for Android apps. This flaw could have secretly put over 30 million cryptocurrency wallets at risk.
A hidden security problem in a popular software component has potentially put millions of cryptocurrency users at risk. Researchers at Microsoft discovered a serious weakness in EngageLab’s EngageSDK, which is used in many Android apps. This flaw allowed malicious apps to completely bypass Android’s security features and access users’ private cryptocurrency wallet information without their knowledge or permission.
This software kit helps developers add in-app messages and push notifications to their apps. Because it’s added as a component, developers don’t always know exactly what it includes. Critically, over 30 million installs of cryptocurrency wallet apps were using this vulnerable code, and across all types of apps, the total number of affected installs exceeded 50 million.
The Hidden Door Nobody Noticed
The issue was hidden within a specific component called MTCommonActivity. It only showed up in the final Android manifest file, which is created *after* the app is built. This timing is crucial because developers usually check the manifest *before* building, so they often don’t notice it.
Since the feature was made available for other apps to access, any app on the device could directly communicate with it. This communication triggered a process that sent a new message using the original app’s permissions. This is where the security issue arises because of how that second message is handled.
Microsoft’s research showed that the system handled web addresses (URIs) in a way that could be exploited. Specifically, it used a setting, ‘URI_ALLOW_UNSAFE’, which unintentionally allowed access to an app’s private data, even data not intended for public use. When combined with other permissions within the malicious code, this gave an attacker ongoing access to the app’s private files without needing to repeat the attack.
30 Million Wallets, One Overlooked Library
Microsoft discovered a problem in version 4.5.4 of its software development kit (SDK) in April 2025. They shared the details with EngageLab using a standard security disclosure process as part of the Microsoft Security Vulnerability Research program. Because the issue affected apps available on Google Play, the Android Security Team was also notified.
EngageLab fixed the security issue in version 5.2.1, which came out on November 3, 2025. They did this by preventing other apps from accessing a specific component, MTCommonActivity. Since then, any apps still using the older, vulnerable version have been taken off the Google Play Store.
As a crypto investor, this recent security issue really has me concerned. Microsoft’s research team pointed out that vulnerabilities in the software other companies build – these ‘SDKs’ – can cause huge problems, especially in our space. We’ve already seen a lot of security breaches in digital asset management in 2025, and this flaw could have let hackers steal credentials, private keys, and even personal information. It’s a scary thought, and it highlights how important it is that these third-party tools are rock solid.
Currently, there’s no indication that this vulnerability was actively used to harm anyone. Google has already implemented new safeguards for Android users, specifically addressing the issue with EngageSDK. These protections are in place while app developers update their apps with the fix, meaning users who previously had a vulnerable app are now protected.
What Developers Must Do Now
Developers using EngageSDK versions older than 5.2.1 should update right away. Microsoft has highlighted that a common mistake is overlooking the merged manifest review process. This review is important because third-party libraries can sometimes add hidden components to apps, and these components can create security vulnerabilities.
The research highlights a wider issue with app supply chains. Apps frequently use external code libraries, and each one could be a security risk if not thoroughly checked. The more these imported code components an app uses, the more difficult it becomes to monitor everything included in the finished product.
Microsoft’s recommendations work seamlessly with its Defender XDR and Security Copilot tools, helping teams quickly identify and understand their security risks.
Read More
- Brent Oil Forecast
- Silver Rate Forecast
- Gold Rate Forecast
- USD COP PREDICTION
- EUR THB PREDICTION
- EUR AED PREDICTION
- USD RUB PREDICTION
- Stablecoins: The Sky Isn’t Falling, But Banks Might Be Whining
- USD CNY PREDICTION
- Michael Saylor’s Bold Bitcoin Move: $44 Billion Investment Unveiled!
2026-04-10 15:11