Shein App has accessed clipboard data on Android devices
An old version of the Shein mobile app from the Chinese online fast fashion retailer regularly accesses the contents of the clipboard on an Android device.
The findings come from Microsoft, who wrote about them in an advisory published Monday by Dimitrios Valsamaras and Michael Peck of the Microsoft 365 Defender Research Team.
“If a particular pattern was present, [the app] sent the contents of the clipboard to a remote server. While we are not aware of any malicious intent behind this behavior, we have assessed that this behavior was not necessary for users to complete their tasks on the app.”
After discovering the behavior, the tech giant reported it to Google (which runs the Android Play Store), who launched an investigation into the matter.
“We were notified by Google in May 2022 and we have confirmed that Shein has removed the behavior from the app,” Microsoft’s advisory says.
As a result of the disclosure, Google reportedly recognized the risks associated with accessing the clipboard and improved the Android operating system. On Android 10, apps can’t access the clipboard unless it’s focused or set as the default input mode editor.
On Android 12, a toast message informs users the first time apps call ClipboardManager to access clipboard data from another app. And on Android 13, the content of the clipboard is automatically deleted for greater security.
In addition to the specific case of the Shein application, Microsoft highlighted that threats targeting clipboards have already been detected in the wild.
“[These] any copied and pasted information could be vulnerable to being stolen or modified by attackers, such as passwords, financial data, personal information, cryptocurrency wallet addresses, and other sensitive information,” Valsamaras and Peck wrote.
To protect against threats, security researchers have recommended that users always keep their apps up-to-date and never install apps from untrusted sources.
“Consider removing apps with unexpected behavior, such as accessing the clipboard, and report the behavior to the vendor or app store operator,” they added.
Microsoft’s advice was released months after Shein’s holding company, Zoetop, was fined $1.9 million for failing to properly inform customers about the data breach.
Editorial Source Images: VicVa / Shutterstock.com
:quality(70)/cloudfront-us-east-1.images.arcpublishing.com/adn/5253HTE7EZH2NMXZJOC5GPB5O4.jpg "I just got dumped by my much younger girlfriend and it still stings")
