A severe vulnerability in a popular third-party Android software development kit (SDK) left tens of millions of cryptocurrency wallets vulnerable to data theft, according to a newly published report by the Microsoft Defender Security Research Team.
The flaw has allowed malicious applications to bypass Android’s core security sandbox.
The scope of the threat
The vulnerability has affected a wide range of applications. The cryptocurrency and digital wallet ecosystem bore the brunt of the exposure due to the high-value nature of the stored data.
Microsoft identified over 30 million installations of affected third-party crypto wallet applications. The total exposure exceeded 50 million installations.
If exploited, the vulnerability could have exposed Personally Identifiable Information (PII), private user credentials, and sensitive financial data stored deep within the affected app’s private directories.
Fortunately, Microsoft noted that there is currently no evidence to suggest this vulnerability was ever actively exploited by threat actors in the wild.
The “intent redirection” flaw
The EngageLab SDK is a tool utilized by developers to manage push notifications and real-time in-app messaging. The security flaw was traced to a specific component (MTCommonActivity) that was automatically added to an application’s background code after the build process.
Because this component was broadly exported, it became accessible to other applications installed on the same Android device.
A malicious app installed on the same device could craft a manipulated message (an “intent”) and send it to the vulnerable crypto wallet app.
The wallet app would process this intent using its own trusted identity and permissions.
This tricked the wallet into granting the malicious app persistent read and write access to its private data directories.
Swift action was taken across the Android ecosystem to mitigate the threat.