In essence, Android permissions system have (had?) a vulnerability that Facebook exploited, and Google is responsible to a small extent as the maintainer of the vulnerable software.
Google is very culpable because the various problems with Android's permission system were raised hundreds of times by security experts, both internal and external, and they didn't consider it a high priority to fix.
Even when they added a sane permission model in Android $VERSION, developers were allowed to bypass it for years by just building apps targeting Android $VERSION - 1 instead.
Google's web security may be the best in the world, but Android security is a disgrace and they should be called on it. (Fuschia may put them on top of the world if they ever switch Android to that, but we'll have to see whether that happens.)
Even when they added a sane permission model in Android $VERSION, developers were allowed to bypass it for years by just building apps targeting Android $VERSION - 1 instead.
Google's web security may be the best in the world, but Android security is a disgrace and they should be called on it. (Fuschia may put them on top of the world if they ever switch Android to that, but we'll have to see whether that happens.)