I remember the OSI layers, but we are not talking about a full OSI separated model on Android. Every App can use the WifiManager getScanResults() method to return the latest result of the Wifi network scan. This returns a list with the properties of the found access points which can be traversed. One of the fields for each scan entry is BSSID, which is the MAC address of that access point and another field is the signal level.
The Android weather App can paste the BSSID field in a data packet, for example together with GPS data if it is available and send it to the weather server. The weather server will then send data back based on the GPS information if it is available, or based on the MAC address if no GPS information is passed. If a GPS and MAC address are passed, the weather server updates the MAC address location based on the GPS info.
The nice thing of the method described above is that the Android doesn't even have to authenticate successfully with the access point to obtain the BSSID/MAC address. Therefore every Wifi access point in the neighborhood can be used to very accurately locate your Android device, as long as the physical location of that Wifi router is known. If more Wifi access points are seen, a calculation on the signal strengths of each individual connection may give an even more accurate positioning than "in the reach of access point A".
The other side of Android not having to authenticate with the Wifi access point is that any Android in the neigborhood of a Wifi access point can accurately update the location of that Wifi access point if the GPS on that Android device is enabled and the weather application is running. The Android of your neighbor can do that, or even the Android device of a stranger who just walked in your street and picked up the Wifi signal.
Remember all the buzz around Google's Street View cars also capturing data packets from Wifi routers in the areas they were capturing pictures? They are now replaced by walking capturing devices.