- I opened up a cheap 600W charger to test its build, and found 'goo' inside
- How to negotiate like a pro: 4 secrets to success
- One of the cheapest Android tablets I've ever tested replaced my iPad with no sweat
- I use this cheap Android tablet more than my iPad Pro - and don't regret it
- The LG soundbar made my home audio sound like a theater - even though it's not the newest model
Shein App Accessed Clipboard Data on Android Devices
An old version of the Shein mobile app, from the Chinese online fast fashion retailer, has been spotted periodically accessing the contents of the Android device clipboard.
The findings come from Microsoft, who wrote about them in an advisory published by Dimitrios Valsamaras and Michael Peck of the Microsoft 365 Defender Research Team on Monday.
“If a particular pattern was present, [the app] sent the contents of the clipboard to a remote server. While we are not specifically aware of any malicious intent behind the behavior, we assessed that this behavior was not necessary for users to perform their tasks on the app.”
After discovering the behavior, the tech giant reported it to Google (who operates the Android Play Store), who opened a related investigation.
“In May 2022, Google informed us, and we confirmed that Shein removed the behavior from the application,” reads the Microsoft advisory.
As a result of the disclosure, Google reportedly recognized the risks associated with clipboard access and made improvements to the Android OS. In particular, on Android 10, applications cannot access the clipboard unless they have focus or are set as the default input method editor.
On Android 12, a toast message now lets users know when applications call the ClipboardManager to access clipboard data from another application for the first time. And on Android 13, the clipboard’s content is automatically cleared to provide extra security.
Beyond the specific case of the Shein app, Microsoft highlighted that threats targeting clipboards have already been spotted in the wild.
“[These] can put any copied and pasted information at risk of being stolen or modified by attackers, such as passwords, financial details, personal data, cryptocurrency wallet addresses and other sensitive information,” Valsamaras and Peck wrote.
To protect against these threats, the security researchers recommended users always keep apps up to date and never install apps from untrusted sources.
“Consider removing applications with unexpected behaviors, such as clipboard access toast notifications, and report the behavior to the vendor or app store operator,” they added.
The Microsoft advisory comes months after Shein’s holding company, Zoetop, was fined $1.9m for failing to properly inform customers of a data breach.
Editorial credit images: VicVa / Shutterstock.com
