Android data exposure and fines

A phone app can include a software development kit, which is a prebuilt bundle of code that works like a drop-in part from another company. Microsoft said one of those parts, the EngageLab software development kit, left data exposed across more than 50 million Android app installs. (thehackernews.com) The riskiest slice was crypto wallets. Microsoft said apps in the cryptocurrency and digital wallet category made up more than 30 million of those installs. (thehackernews.com) The flaw sat in Android’s “intent” system, which is the message-passing feature apps use to ask each other to do things. Microsoft said the bug let one app abuse another app’s trusted permissions and reach private data it should not have been able to touch. (thehackernews.com) That is why this is a supply-chain story, not just a single-app bug. One vulnerable library inside many apps can spread the same weakness across an entire ecosystem in the same way one bad car part can trigger recalls across many brands. (thehackernews.com) Microsoft said the vulnerable version was EngageLab software development kit 4.5.4. The company said it disclosed the issue in April 2025, and EngageLab released version 5.2.1 in November 2025 to patch it. (thehackernews.com) Microsoft also said it found no evidence the flaw had been exploited maliciously. But it said all detected apps using vulnerable versions had been removed from the Google Play Store by the time of publication. (thehackernews.com) At almost the same moment, Google is dealing with a different kind of Android data problem in court. A class action called Taylor v. Google says Android devices transferred information to Google in the background over cellular networks, using data people were paying for without clear permission. (courtlistener.com, federalcellularclassaction.com) On March 5, 2026, Magistrate Judge Virginia K. DeMarchi granted preliminary approval to a $135 million settlement in that case. The official settlement notice says the class covers people in the United States who used an Android device on a cellular network from November 12, 2017 onward, excluding people covered by the separate California case. (justia.com, federalcellularclassaction.com, cdn.prod.website-files.com) Android Police said the claims process went live on April 9, 2026. The official settlement site lists May 29, 2026 for exclusions and objections, and June 23, 2026 for the final approval hearing. (androidpolice.com, federalcellularclassaction.com, claimdepot.com) Put together, the two stories show the same pressure point from opposite sides. In one case, a third-party code library turned into a hidden doorway inside apps, and in the other, background data transfers turned into a $135 million legal bill for the platform operator. (thehackernews.com, federalcellularclassaction.com)