MICROSOFT security researchers found a severe vulnerability in EngageLab’s EngageSDK, a third-party Android SDK widely used by cryptocurrency wallet apps that have a total of more than 30 million installations, according to Microsoft. The flaw concerns Android intents and an intent redirection vector that could allow a malicious app to manipulate an intent sent by vulnerable applications, bypassing the Android sandbox to access sensitive data such as personal information, user credentials and financial data.
Microsoft said they notified EngageLab in April 2025 and informed the Android Security Team the following month due to the impact on apps distributed via Google Play, with all affected crypto wallet apps subsequently removed from the store. EngageLab rolled out a patch in early November 2025, releasing version 5.2.1, and Microsoft has since published technical details urging developers to use the latest version.
The company reported no evidence of exploitation in the wild, and Android mitigations were described as providing additional protections against such exploitation.