Legacy SDKs, big exposures

A phone app can include a software development kit, which is a prebuilt bundle of code that handles jobs like push alerts the way a prefab room handles plumbing and wiring in a new house. Microsoft said one of those bundles, called EngageSDK, created a hole in Android apps that could let another app on the same device reach private data it should never see. (microsoft.com) The specific bug was an intent redirection flaw. In Android, an intent is the message one app sends to ask another app to open a screen or perform an action, and Microsoft said the flawed kit let a malicious app misuse that handoff to bypass Android’s normal app sandbox. (microsoft.com) Microsoft said the vulnerable code sat inside a widely used third-party Android kit called EngageSDK. The company estimated that crypto wallet apps alone accounted for more than 30 million installs touched by the issue, and it said exposure of personally identifiable information, login credentials, and financial data was put at risk. (microsoft.com) The bigger number was even wider. Reporting on Microsoft’s disclosure said the flawed kit appeared across apps with more than 50 million installs, which shows how one supplier’s mistake can spread through dozens of unrelated apps at once. (techradar.com) (microsoft.com) Microsoft said it disclosed the problem to EngageLab and Google’s Android security team, and the issue was resolved on November 3, 2025 in EngageSDK version 5.2.1. Microsoft also said Google Play removed all detected apps that were still using vulnerable versions. (microsoft.com) Microsoft added one important line that keeps this from sounding like a confirmed mass theft event. As of its April 9, 2026 post, the company said it had no evidence the bug had been exploited in the wild, even though it urged developers to update immediately. (microsoft.com) The Google case came from the other direction. Instead of a hidden bug in a supplier’s code, it was a lawsuit over Google’s own handling of Android phones and whether the devices sent cellular data back to Google when users had not agreed to that transfer. (wpxi.com) (courtlistener.com) Google agreed to a settlement of about $134 million, commonly rounded to $135 million, in Taylor v. Google LLC. News reports and the settlement site say roughly 100 million United States Android users may qualify if they used an Android device with a cellular data plan from November 12, 2017 to the present and were not part of the separate California case called Csupo v. Google LLC. (wpxi.com) (federalcellularclassaction.com) The complaint was not that Google stole passwords or emptied bank accounts. The claim was that Android devices allegedly used paid cellular data in the background, sometimes while idle, which turned tiny transfers into a billable cost borne by users instead of Google. (wpxi.com) (usatoday.com) The court has not finished the case yet. The settlement website says the final approval hearing is scheduled for June 23, 2026, objections or exclusions are due by May 29, 2026, and individual payments are capped at $100 before any adjustment for the number of valid claims. (federalcellularclassaction.com) (wpxi.com) Put the two stories together and the pattern is plain. In one case, an old software part inside other companies’ apps created a path to sensitive data, and in the other, old Android data-transfer behavior turned into a nine-figure legal bill years later. (microsoft.com) (federalcellularclassaction.com)