SINGAPORE, April 15, 2026 (GLOBE NEWSWIRE) — EngageLab, an AI-first customer engagement platform, today published an official security statement addressing the intent redirection vulnerability in its Android SDK, which was detailed in a blog post published by the Microsoft Defender Security Research Team on April 9, 2026.
The vulnerability, identified in SDK version 4.5.4, involved an exported Android Activity component (MTCommonActivity) that could be exploited by a malicious application installed on the same device to gain unauthorized access to private data within apps integrating the affected SDK version. EngageLab was notified of the issue by the Google Security Team in May 2025 and worked collaboratively through a multi-stage remediation process.
A complete fix was released in SDK v5.2.1 on November 3, 2025. On December 2, 2025, the Google Security Team independently verified that the vulnerability had been fully resolved. As of that date, no exploitation of this vulnerability in the wild has been confirmed.
Prior to the vulnerability receiving broader public attention, EngageLab had already proactively notified its developer community of the security risk in February 2026 — more than two months before the Microsoft blog post was published — and issued a follow-up reminder later that month.
“Security is foundational to everything we build,” said Zhang Qing, CTO of EngageLab. “When the Google Security Team brought this to our attention, we treated it with the highest priority. The remediation process involved multiple rounds of independent verification with the Google Security Team to ensure the fix was complete at every stage — not just passing a single checkpoint. That rigor takes time, and we believe it was the right approach. We are committed to full transparency with our developer community, and we will continue to invest in the processes and practices that keep our SDK trustworthy.”
Google Play has since updated its enforcement to protect users on devices running apps with vulnerable SDK versions, while developers who have upgraded to v5.2.1 are fully covered. Developers still integrating SDK versions below v5.2.1 are strongly advised to upgrade immediately.
EngageLab has also outlined a series of security process improvements implemented in response to this incident, including mandatory merged manifest audits prior to all future SDK releases, automated static analysis for exported component configurations, and the ongoing establishment of a formal public security advisory program to ensure timely disclosure of future security issues.
The company’s full security statement, including a complete remediation timeline, technical analysis, and developer upgrade guidance, is available at: https://www.engagelab.com/blog/security-statement-android-sdk-intent-redirection-vulnerability
About EngageLab
EngageLab is an AI-first customer engagement platform that helps you build stronger customer relationships with AI agents, unified customer data, and reliable delivery across channels.
Media Contact
EngageLab Security Team: security@engagelab.com
