Overview
- Microsoft published technical details of the EngageSDK flaw and said it has seen no in‑the‑wild abuse, urging developers to update now.
- The bug came from an exported activity called MTCommonActivity that the SDK added during manifest merging, which let a hostile app redirect an intent and use the vulnerable app’s permissions.
- The issue touched more than 30 million crypto wallet installs and pushed total exposure across all affected apps beyond 50 million.
- EngageLab fixed the problem in November 2025 with version 5.2.1 by making the risky activity non‑exported, so teams need to adopt this release to close the hole.
- Google Play removed detected vulnerable apps, and Android’s layered defenses add extra protection for users who already had them installed.