in brief Google has settled another location tracking lawsuit, yet again being fined a relative pittance.

Washington State Attorney General Bob Ferguson's office announced the $39.9 million fine last week, along with news that Google will have to implement several state-ordered tracking reforms that clarify what data is being gathered and for what purposes. 

"Today's resolution holds one of the most powerful corporations accountable for its unethical and unlawful tactics," Ferguson said in a statement. 

The lawsuit is similar to others filed across the country last year, with attorneys general in Indiana, Texas and Washington, DC joining Washington state in suing Google over claims it used "dark patterns" to trick users into allowing location tracking and data collection, while also making it difficult to opt out. 

In January, Washington DC and Indiana announced a joint settlement with Google that netted the pair $9.5 million and $20 million respectively, which the Washington state AG's office said it chose not to sign onto in a bid to earn more money for state coffers. 

"Instead of joining a multistate settlement, Ferguson's office independently filed its own lawsuit and obtained this resolution. The Attorney General's Office estimates Washington received more than double the amount it would have received under the wider multistate settlement," the Ferguson's office said. 

While it's true that Washington state earned itself considerably more than DC or Indiana, it's worth noting, as we so often have to do at El Reg, that even a $40m settlement is unlikely to make Alphabet accountants take pause.

In Q1 of this year, Google's parent company announced [PDF] it had made $15.05 billion in net profit.

Ferguson's office said it intends to use its Google fine to continue enforcing the Consumer Protection Act. Its enforcement body, the Consumer Protection Division, receives minimal cash from the government and is largely funded by recoveries in cases like this one.

Non-phone Android devices still shipping with malware, too

We reported recently that Trend Micro security researchers at Black Hat Asia discovered millions of Android handsets built by budget OEMs were laced with malware, now new reports this week point to popular Android TV boxes sold on Amazon having similar problems.

According to security researcher Daniel Milisic, who bought an infected set-top Android box from Amazon manufactured by Chinese company AllWinner, several popular models from AllWinner and fellow Chinese firm RockChip are shipping with malware that immediately reaches out to a C2 server once powered up. 

As with other similar malware, much of it comes with budget hardware manufactured by companies with poor supply chain security practices, and the bug could have been slipped in at any stage in production by any number of supply partners. 

Milisic claims to have found expired certificates on his device that pointed to mobile advertising platform Dotinapp, a mobile advertising platform that appears defunct. Just add this to the long list of similar issues that budget Android devices have dealt with over the years - consider this a lesson in "you get what you pay for" when it comes to computing hardware.

Google ditches CVEs for all by the most serious vulnerabilities

Google said it had plans to add a quality rating system to security vulnerability reports - yay - while also saying it plans to stop assigning CVEs to most reported issues - boo. 

Few would argue that vulnerability reports could benefit from quality ratings based on details, analysis, the inclusion of proof of concepts and the like. Not attaching CVE numbers "to most moderate severity issues," however, seems less like an attempt to incentivise the discovery of and high-quality reporting on vulnerabilities and more a way to reduce what gets cataloged in a bid to look better.

CISA describes assigning a CVE ID as step one in cataloging known exploited vulnerabilities. Without data on medium- and low-severity vulnerabilities in Google products only one company will benefit: Google, by obfuscating the bulk of its vulnerabilities. ®

https://www.theregister.com//2023/05/22/google_gets_another_great_deal/