Intent redirection vulnerability in third-party SDK exposed millions of Android wallets to potential risk

Microsoft Defender Security Research discovered a severe intent redirection vulnerability in the EngageLab Android SDK (MTCommonActivity) that could allow a malicious app to cause vulnerable apps to send intents under their identity, potentially granting persistent read/write access to private content providers and exposing sensitive PII and financial data. The flaw affected a large portion of the mobile wallet ecosystem (over 30 million wallet installs and >50 million total installs across apps), was reported via coordinated disclosure, and addressed in EngageSDK v5.2.1 (Nov 3, 2025); no evidence of active exploitation was observed, and developers are strongly advised to update and review merged manifests.