Fresh mobile privacy and security hits

Your phone can leak in two very different ways at once: the operating system can quietly send data in the background, and a software kit inside an app can quietly open a hole another app can use. This week brought one example of each on Android. (microsoft.com, classaction.org) Google agreed to pay $135 million to settle a class action that said Android phones used customers’ paid cellular data to send information to Google without permission. The proposed settlement in Taylor v. Google LLC covers more than 100 million United States Android users outside California who used cellular data from November 12, 2017 until final approval. (classaction.org, federalcellularclassaction.com) The claim in that case was not “your apps used data.” It was that Android itself kept making background transfers even when a phone was idle, which is like paying for a taxi ride and finding out the meter kept running while the car was parked. (classaction.org, news.bloomberglaw.com) California users were carved out because Google already settled a parallel California case for $314.6 million in 2025, covering about 14 million people. In the federal case, the notice says class members do not need to file a claim form, but they do need to pick a payment method by May 29, 2026 if they want to make sure they receive payment. (classaction.org, classaction.org) The second problem sat lower in the app stack, inside a software development kit, which is a prebuilt code bundle app makers plug in so they do not have to build every feature from scratch. Microsoft said a widely used Android kit called Engage Software Development Kit had an intent redirection flaw that put more than 50 million app installs at risk. (microsoft.com) An intent in Android is basically a note one app hands another app saying “open this screen” or “handle this file.” Microsoft found that the flawed kit could let a malicious app abuse that handoff and bypass Android’s app sandbox, which is the wall that is supposed to keep one app out of another app’s private room. (microsoft.com) Microsoft said more than 30 million of the affected installs were third-party crypto wallet apps, which made the risk unusually sensitive because those apps can hold login details, identity data, and money-moving functions in one place. Microsoft said the exposure included personally identifiable information, user credentials, and financial data. (microsoft.com) The timeline shows how long these supply-chain bugs can sit around. Microsoft said it notified EngageLab and Google’s Android Security Team, and the issue was resolved on November 3, 2025 in Engage Software Development Kit version 5.2.1, but the public warning only arrived on April 9, 2026. (microsoft.com) Microsoft also said it had no evidence the flaw was exploited in the wild, and Google Play protections were updated to help shield users who had already downloaded vulnerable apps. But Microsoft added that every detected app using vulnerable versions had to be removed from Google Play, which shows how one bad component can force a cleanup across many unrelated apps. (microsoft.com) Put the two stories together and the pattern is hard to miss. One problem came from Android’s own background behavior, and the other came from third-party code inside Android apps, but both turned invisible plumbing into a bill, a breach risk, or both. (microsoft.com, federalcellularclassaction.com)