An old version of the Shein mobile app, from the Chinese online fast fashion retailer, has been spotted periodically accessing the contents of the Android device clipboard.
The findings come from Microsoft, who wrote about them in an advisory published by Dimitrios Valsamaras and Michael Peck of the Microsoft 365 Defender Research Team on Monday.
“If a particular pattern was present, [the app] sent the contents of the clipboard to a remote server. While we are not specifically aware of any malicious intent behind the behavior, we assessed that this behavior was not necessary for users to perform their tasks on the app.”
After discovering the behavior, the tech giant reported it to Google (who operates the Android Play Store), who opened a related investigation.
“In May 2022, Google informed us, and we confirmed that Shein removed the behavior from the application,” reads the Microsoft advisory.
As a result of the disclosure, Google reportedly recognized the risks associated with clipboard access and made improvements to the Android OS. In particular, on Android 10, applications cannot access the clipboard unless they have focus or are set as the default input method editor.
On Android 12, a toast message now lets users know when applications call the ClipboardManager to access clipboard data from another application for the first time. And on Android 13, the clipboard’s content is automatically cleared to provide extra security.
Beyond the specific case of the Shein app, Microsoft highlighted that threats targeting clipboards have already been spotted in the wild.
“[These] can put any copied and pasted information at risk of being stolen or modified by attackers, such as passwords, financial details, personal data, cryptocurrency wallet addresses and other sensitive information,” Valsamaras and Peck wrote.
To protect against these threats, the security researchers recommended users always keep apps up to date and never install apps from untrusted sources.
“Consider removing applications with unexpected behaviors, such as clipboard access toast notifications, and report the behavior to the vendor or app store operator,” they added.
The Microsoft advisory comes months after Shein’s holding company, Zoetop, was fined $1.9m for failing to properly inform customers of a data breach.
Editorial credit images: VicVa / Shutterstock.com