Android privacy and SDK risks surface
Google agreed to about a $134 million settlement over claims that Android phones collected cellular data improperly, underscoring legal exposure from passive data collection. At the same time Microsoft warned that an outdated Android SDK exposed tens of millions of users to credential and financial‑data risk, and a class‑action law firm announced an investigation into a Figure Lending breach affecting nearly one million users—together highlighting that routine mobile components and breaches remain costly. (wpxi.com techradar.com, prnewswire.com)
A phone can leak information in two very different ways: by quietly sending data in the background, or by trusting the wrong software part inside an app. Android landed in both stories this month. (microsoft.com, kiro7.com) Google agreed to a roughly $135 million settlement in Taylor v. Google LLC after claims that Android devices sent data to Google over paid cellular connections even when phones were idle. Google denied wrongdoing, but the settlement site is now live for eligible users. (kiro7.com, cnet.com) The complaint was not about a hacker breaking in. It was about the operating system itself allegedly using a customer’s metered data plan like a taxi meter still running while the car is parked. (cnet.com, usatoday.com) A software development kit is a prebuilt app component, like buying a lock instead of machining one yourself. Microsoft said one widely used Android kit called EngageSDK had a flaw that could let a malicious app on the same phone reach into another app’s private data. (microsoft.com) Microsoft said the flaw was an intent redirection bug. In plain English, Android apps pass requests to each other through little digital envelopes called intents, and this bug let a bad app reroute those envelopes and read data that should have stayed sealed. (microsoft.com) The scale came from reuse. Microsoft said EngageSDK appeared in apps with more than 50 million installs, including roughly 30 million cryptocurrency wallet installs, so one outdated component could spread risk across a huge slice of the Android ecosystem. (microsoft.com, techrepublic.com) That is the part consumers almost never see. You can update your banking app, but if the developer left an old third-party kit inside it, the weak point rides along like a worn brake line hidden under the hood. (microsoft.com) Then there is the third kind of mobile risk: a company breach outside the phone itself. Figure Lending said in notices dated February 24, 2026 that a security incident affected personal information, and law firms say about 967,000 users may have been impacted. (classactionu.org, prnewswire.com) Reports on the Figure incident say attackers used social engineering, which means tricking a person instead of cracking a machine. In this case, outside reporting tied the breach to an employee-account compromise and a broader campaign linked to the ShinyHunters group. (bleepingcomputer.com, cybernews.com) Put together, these cases show three layers of mobile exposure in 2026: the phone maker collecting in the background, the app developer shipping a risky kit, and the financial company losing data on its own servers. None of those requires you to tap a bad link for the damage to start. (kiro7.com, microsoft.com, classactionu.org)
