Microsoft security researchers uncovered a critical vulnerability in EngageLab's EngageSDK, a widely-used third-party Android library for messaging and notifications, that could expose sensitive data from cryptocurrency wallet apps with over 30 million combined installations. The intent redirection flaw would allow attackers to use a malicious app on the same device to bypass Android's security sandbox and access personal information, credentials, and financial data from vulnerable crypto wallets. EngageLab patched the issue in November 2025, and Google has removed all affected apps from the Play Store, with no evidence of active exploitation found.