SHEIN Shopping App Scam Gets Price & URL Data From Clipboard – Naked Security

by James · March 10, 2023

Chinese “fast fashion” brand SHEIN is no stranger to controversy, not least due to a data breach in 2018 that its then-parent company Zoetop failed to notice, let alone stop, and then handled unfairly.

New York State Attorney General Letitia James said in a statement in late 2022:

SHEIN and [sister brand] ROMWE’s weak digital security measures made it easy for hackers to steal customers’ personal information. […]

[P]Personal data was stolen and Zoetop tried to hide it. Failure to protect consumers’ personal data and lying are not trendy. SHEIN and ROMWE must strengthen their cyber security measures to protect consumers from fraud and identity theft.

At the New York court’s verdict, we expressed our surprise at the $1.9 million fine, which seems modest considering the scope of the deal:

Frankly, we were surprised that Zoetop (now SHEIN Distribution Corporation in the US) got off so lightly, given the company’s size, wealth and brand power, and the apparent lack of even basic precautions that could have prevented or mitigated the threat. for the breach and his continued dishonesty in handling the breach after it became known.

The Snoopy app code has just been revealed

What we didn’t know, even as this case was grinding its way through the New York justice system, was that SHEIN had added some strange (and dubious, if not malicious) code to its Android app that made it a basic “ marketing spyware tool’.

The news came earlier this week when Microsoft researchers published a retrospective analysis of SHEIN’s Android app version 7.9.2 from early 2022.

Although this version of the app has been updated many times since Microsoft reported its dubious behavior, and although Google has now added some mitigation tools to Android (see below) to help spot apps trying to get away with SHEIN’s tricks…

…this story is a stark reminder that even apps that are “verified and approved” on Google Play can operate in malicious ways that can undermine your privacy and security – like the rogue “Authenticator” app I wrote about two weeks ago.

Microsoft researchers did not say what made them interested in this application.

All we know is that they simply selected a representative sample of apps with high download numbers and automatically searched their decrypted code for intriguing or unexpected calls to system functions to compile a shortlist of interesting targets.

In the researchers’ own words:

First, we performed a static analysis of the application to identify the code responsible for the behavior. We then performed dynamic analysis by running the application in an instrumented environment to observe the code, including how it reads the clipboard and sends its contents to a remote server.

SHEIN’s app has over 100 million downloads, far less than superflying apps like Facebook (5B+), Twitter (1B+) and TikTok (1B+), but higher than other well-known and widely used apps. such as Signal (100 million+) and McDonald’s (100 million+).

Dig into the code

The application itself is huge, weighing 93 MByte in APK form (APK file, for short Android packageessentially a compressed ZIP archive) and 194 MByte unzipped and unzipped.

It contains a significant amount of library code in a package named top-level com.zzkko (ZZKKO was the original name of SHEIN), which contains a series of utilities in one package, the so-called com.zzkko.base.util.

These basic utilities include a so-called PhoneUtil.getClipboardTxt() which grabs the clipboard with the standard Android coding tools imported from here android.content.ClipboardManager:

Searching the SHEIN/ZZKKO code for the call to this utility shows that it is only used in one place, in a package with an interesting name. com.zzkko.util.MarketClipboardPhaseLinker:

As Microsoft’s analysis explains, this code, when triggered, reads whatever is on the clipboard and then tests to see if it contains both. :// and $as you might expect if you copied and pasted a search result containing someone else’s website and a price in dollars:

If the test succeeds, the code calls a function compiled into the package with an unimaginative (and presumably automatically generated) name. k()you send him a copy of the searched text as a parameter:

As you can see, even if you are not a programmer, this is an uninteresting feature k() wraps the sniffed clipboard data a POST request, which is a special HTTP connection that tells the server, “This isn’t a traditional GET request where I’m asking you to send me something, it’s an upload request where I’m sending you data.”

THE POST In this case, the request is uploaded to the URL https://api-service.shein.com/marketing/tinyurl/phrasewith HTTP content that typically looks like this:


 POST //marketing/tinyurl/phrase
 Host: api-service.shein.com
 . . .
 Content-Type: application/x-www-form-urlencoded

 phrase=...encoded contents of the parameter passed to k()...

As Microsoft kindly noted in their report:

While we are not aware of SHEIN’s malicious intent, even seemingly benign app behaviors can be exploited with malicious intent. Clipboard threats can compromise any copied and pasted information such as passwords, financial data, personal information, cryptocurrency wallet addresses, and other sensitive information to be stolen or modified by attackers.

URL encoding is usually used when you want to transmit URLs as data so they can’t be mixed up with “live” URLs that need to be visited, so they don’t contain illegal characters. For example, spaces are not allowed in URLs, so they are converted to the following in the URL data %20where the percent sign means “the special byte occurs as two hexadecimal characters” and 20 the hexadecimal ASCII code of the space (32 decimal). Similarly, a special series such as :// will be translated into language %3A%2F%2F, because the colon is ASCII 0x3A (decimal 58) and the slash is 0x2F (decimal 47). The dollar sign comes out as %24 (in 36 decimal places).

What to do?

According to Microsoft, Google’s response to this kind of behavior in otherwise trusted apps — what you might think of as “unintentional betrayal” — was to harden Android’s clipboard manager code.

Presumably, a better solution in theory would have been to tighten up clipboard access permissions, just like with the Play Store app review, but we assume that these responses were deemed too intrusive in practice.

Loosely speaking, the newer your Android version (or upgradeable), the stricter the clipboard handling.

It seems that in Android 10 and up, an app can’t read the clipboard at all unless it’s actively running in the foreground.

Granted, this doesn’t help much, but it does prevent apps you’ve left idle and perhaps forgotten about from lurking around after you’ve copied and pasted.

Android 12 and above will display a warning message saying “XYZ app pasted to clipboard”, but this warning appears to only appear the first time any app appears (which might be when you’d expect), not later when grabbing a clipboard. (when you didn’t).

And Android 13 will automatically clear the clipboard from time to time (we’re not sure exactly how often) to stop any data you might have forgotten lying around indefinitely.

Given that Google apparently doesn’t intend to control access to the clipboard as tightly as you’d hope, we’re echoing Microsoft’s advice here: “If you see something, say something… and vote with your feet, or at least your fingers.” :

Consider removing apps with unexpected behavior, such as access to the clipboard […] notifications and report the behavior to the vendor or app store operator.

If you have a fleet of corporate mobile devices and haven’t already implemented some form of mobile device management and anti-malware protection, why not take a look at what’s on offer now?