Intent Redirection Vulnerability in Third‑Party Android Wallet SDK Puts Millions of Users at Risk
What Happened — Researchers discovered an intent‑redirection flaw in a widely‑used Android SDK that powers mobile wallet applications. The vulnerability allows a malicious app to intercept or forge intents, potentially hijacking payment flows or exfiltrating wallet credentials. Microsoft reports that the SDK is embedded in millions of Android wallets worldwide, creating a large attack surface.
Why It Matters for TPRM —
- A single compromised SDK can affect every downstream app, turning a third‑party component into a systemic risk.
- Financial loss and reputational damage can cascade from the wallet provider to merchants, partners, and end‑users.
- Regulatory scrutiny (e.g., PCI DSS, GDPR) intensifies when personal payment data is exposed through a supply‑chain flaw.
Who Is Affected — Financial services, fintech, mobile payments, and any enterprise that integrates the vulnerable SDK into Android applications.
Recommended Actions —
- Inventory all Android applications that embed the affected SDK.
- Apply the vendor‑provided patch or replace the SDK with a vetted alternative.
- Conduct a focused code review and dynamic testing of intent handling in your mobile apps.
- Update third‑party risk questionnaires to include SDK security hygiene and intent‑validation controls.
Technical Notes — The flaw stems from improper validation of inbound Intent objects, enabling a malicious app to redirect or spoof intents that trigger wallet actions. No CVE has been assigned yet; the issue is classified as a “vulnerability exploit.” Affected data includes authentication tokens, payment credentials, and transaction metadata. Source: Microsoft Security Blog