EngageLab Android SDK Security Statement: Intent Redirection Vulnerability

Regarding the Android Intent Redirection vulnerability described in the Microsoft Defender Security Research blog post, EngageLab is issuing the following official security statement for developers, customers, and users of applications integrating the EngageLab Android SDK.

Current Status

Is EngageLab SDK Safe?

Yes. EngageLab Android SDK v5.2.1 and later versions include the fix for this vulnerability.

Older versions, including v5.2.0 and earlier, should be upgraded immediately. Keeping third-party SDKs up to date remains an important security practice for all Android applications.

What Happened

On April 9, 2026, the Microsoft Defender Security Research Team published a research blog post describing an Android Intent Redirection vulnerability affecting earlier versions of the EngageLab Android SDK.

The issue involved an exported Android Activity component, MTCommonActivity. Under specific conditions, a malicious app already installed on the same device could send a crafted Intent to the affected component and potentially cause the host application to process or redirect it with the host app’s permissions.

This could create a risk of unauthorized access to app-private data in applications using affected SDK versions.

Who Is Affected

This issue affects Android applications that meet both of the following conditions:

• The application integrates EngageLab Android SDK v5.2.0 or earlier.
• A malicious application is already installed on the same device.

Applications using EngageLab Android SDK v5.2.1 or later are not affected by this specific vulnerability.

What We Fixed

In SDK v5.2.1, EngageLab changed the affected component configuration by setting MTCommonActivity to android:exported="false". This blocks external applications from invoking the affected Activity component.

Before:

    <activity
    android:name="com.engagelab.privates.common.component.MTCommonActivity"
    android:exported="true" />
    

After, fixed in SDK v5.2.1:

    <activity
    android:name="com.engagelab.privates.common.component.MTCommonActivity"
    android:exported="false" />
    

We also added additional security improvements, including:

• Input validation for incoming Intent data.
• Reduction of exported Android components across the SDK.
• Security review of SDK components.
• Additional checks in the SDK release process.

Developer Action Required

If your application uses EngageLab Android SDK v5.2.0 or earlier, please upgrade immediately to v5.2.1 or later.

Example:

implementation "com.engagelab:engagelab:5.2.1"

After upgrading, rebuild your application and verify the merged manifest:

app/build/intermediates/merged_manifests/<variant>/AndroidManifest.xml

Confirm that MTCommonActivity is no longer exported.

Timeline

The following timeline summarizes the remediation and disclosure process.

The remediation process involved multiple rounds of independent validation to ensure the fix was complete and reliable.

Our Security Commitment

We take this issue seriously and have strengthened our SDK security process.

Going forward, EngageLab is implementing:

• Mandatory merged manifest security review before SDK releases.
• Automated static analysis for exported Android components.
• A dedicated security review stage in the SDK development lifecycle.
• A public security advisory page for future security updates.
• Faster and clearer developer notification for security-related SDK updates.

We welcome responsible disclosure from security researchers. If you believe you have found a security issue in an EngageLab product, please contact us at:

security@engagelab.com

We aim to acknowledge reports within 24 hours and provide an initial assessment within 48 hours.

FAQ

Is EngageLab SDK safe now?

Yes. EngageLab Android SDK v5.2.1 and later versions include the fix. Developers should ensure they are using v5.2.1 or later.

Which versions are affected?

EngageLab Android SDK v5.2.0 and earlier are affected.

Which versions are fixed?

SDK v5.2.1 and later versions are fixed.

Was this vulnerability exploited in the wild?

Based on information available to us, there is no known evidence of exploitation in the wild.

What should developers do?

Developers should upgrade to SDK v5.2.1 or later and verify the merged Android manifest after rebuilding their application.

Do end users need to take action?

End users should keep their apps updated through official app stores. Application developers are responsible for upgrading the SDK version used in their apps.

What about the reported 50 million Android installs?

Microsoft reported that vulnerable SDK versions were found in Android applications with large-scale installations, including cryptocurrency wallet applications. The vulnerability has been fixed in EngageLab Android SDK v5.2.1 and later versions. Developers using v5.2.0 or earlier should upgrade immediately.

Does this affect iOS, Web, or server-side EngageLab services?

This statement concerns the EngageLab Android SDK and the Android Intent Redirection issue described in the Microsoft Defender Security Research blog post.

Appendix: Affected and Fixed Versions