An outdated version of the Chinese online fast fashion retailer’s Shein mobile app was discovered to regularly access the contents of an Android device’s clipboard.
Microsoft wrote about them in an advisory released Monday by Dimitrios Valsamaras and Michael Peck of the Microsoft 365 Defender Research Team.
“If there is a certain pattern, [the app] Sent the contents of the clipboard to the remote server. While we are not specifically aware of the malicious intent behind this behavior, we have determined that this behavior is not necessary for users to perform tasks in your app. “
After discovering the behavior, the tech giant reported it to Google (which runs the Android Play store), which launched a related investigation.
“We were notified by Google in May 2022 that Shein has removed this behavior from their applications,” reads Microsoft’s advisory.
As a result of the disclosure, Google is reportedly aware of the risks associated with clipboard access and has made improvements to the Android OS. Specifically in Android 10, applications cannot access the clipboard unless the application has focus or is set as the default input method editor.
Android 12 now notifies the user with a toast message when an application calls ClipboardManager for the first time to access clipboard data from another application. Android 13 also automatically clears clipboard contents for added security.
Beyond the specific case of the Shein app, Microsoft emphasized that threats targeting the clipboard have already been discovered in the wild.
“[These] Information that is copied and pasted, such as passwords, financial information, personal data, cryptocurrency wallet addresses, and other sensitive information, can be at risk of being stolen or altered by attackers,” Valsamaras and Peck writes.
To protect against these threats, security researchers recommend that users keep their apps up to date and never install apps from untrusted sources.
“Consider removing applications with unexpected behavior, such as clipboard access toast notifications, and report the behavior to the vendor or app store operator,” they added.
Microsoft’s recommendation comes months after Shein’s holding company, Zoetop, was fined $1.9 million for failing to properly notify customers of the data breach.
Editorial credit image: VicVa / Shutterstock.com
