Big privacy and vulnerability moves

Two Android stories landed days apart, and they point at the same quiet problem: your phone can leak value even when you are not tapping anything. In one case, Google agreed to pay $134 million to settle claims that Android phones sent data over paid cellular networks in the background; in the other, Microsoft said a hidden software component inside Android apps could let one app reach into another app’s private data. (wpxi.com, microsoft.com) The Google case is about background traffic. The lawsuit said Android devices transferred information to Google even when phones were idle, and because that traffic used cellular networks instead of free Wi‑Fi, users were allegedly paying real money for data they never chose to send. (wpxi.com, cnet.com) The settlement covers people in the United States who used Android devices on cellular data plans starting on November 12, 2017, and multiple reports say the class could include more than 100 million users. Google denied wrongdoing, but agreed to the payout in the case Taylor v. Google LLC. (topclassactions.com, wpxi.com) That sounds small until you remember how mobile billing works. If a phone quietly burns a little paid data every day, the cost is spread across millions of people like a parking meter that keeps running while the car is turned off. (cnet.com, usatoday.com) The Microsoft disclosure is a different kind of Android problem. It focused on a software development kit, which is a prebuilt code package developers drop into apps the way a builder installs the same lock in thousands of doors. (microsoft.com) The kit was EngageLab’s EngageSDK, a messaging and push-notification component. Microsoft said a flaw in version 4.5.4 let a malicious app on the same phone send crafted messages that tricked vulnerable apps into handing over access they should never have shared. (microsoft.com, securityweek.com) Android normally uses a sandbox, which is the wall that keeps one app’s toys in one box and another app’s toys in a different box. Microsoft said this flaw could help an attacker jump that wall and reach sensitive information including credentials, personal data, and financial information. (microsoft.com) A large chunk of the exposed apps were crypto wallet apps. Microsoft said the affected wallet apps accounted for more than 30 million installations, and reporting on the disclosure said the total rose above 50 million installs when non-wallet apps using the same kit were included. (microsoft.com, thehackernews.com) The important detail is where the weakness lived. It was not one famous app making one bad decision; it was a shared component reused across many apps, which means one overlooked part in the supply chain can spread risk across an entire category. (microsoft.com) Microsoft said EngageLab fixed the issue in version 5.2.1, and it said all identified Google Play apps using vulnerable versions had been removed from the store. That helps new downloads, but it also shows how much trust Android users place in code they never see and companies they never directly chose. (microsoft.com, thehackernews.com) Put together, the two stories describe the same modern phone bargain. You buy the device, pay the carrier, install the app, and still depend on invisible background traffic and invisible third-party code to behave themselves every hour the screen is dark. (wpxi.com, microsoft.com)