An error in an earlier version of Shein’s Android app might occasionally collect and send the clipboard’s contents to a distant server. According to the Microsoft 365 Defender Research Team, the issue was found in the app’s 7.9.2 update, which was made available on December 16, 2021. As of May 2022, the problem has been fixed.
Chinese online fast fashion store Shein, formerly known as ZZKKO, is based in Singapore. Almost 100 million people have downloaded the app, which is at version 9.0.0 and is available on the Google Play Store.
The tech giant added that the function is optional and that it is not “particularly aware of any nefarious purpose behind the behavior.” Still, he added that the behavior is not required to use the app.
It also noted that upon opening the program after copying any content to the device’s clipboard, an HTTP POST request containing the copied data was automatically sent to the server “api-service[.]shein[.]com.”
In order to reduce these privacy issues, Google has added new features to Android in recent years, such as toast alerts that appear whenever an app accesses the clipboard and a restriction that prevents apps from accessing the data unless they are actively operating in the foreground.
Clipboard contents may be a desirable target for assaults since mobile users’ sensitive data, such as payment or password information, is regularly copied and pasted, onto the clipboard, according to researchers Dimitrios Valsamaras and Michael Peck. Attackers may be able to exfiltrate useful data by utilizing clipboards to gather information about their targets.
Android’s Clipboard Security
Android programs have the ability to call the android.text, as seen in this instance with SHEIN. You can read from or write to the device’s clipboard using the ClipboardManager API without the user’s knowledge or any special Android permissions. As the device input method editor (keyboard), a specific application, normally handles copying and pasting, applications shouldn’t frequently need to accomplish this.
But, by using the ClipboardManager API, programs can facilitate tasks for users, such as swiftly choosing a text to copy. Google has acknowledged the dangers connected with clipboard access in response to our research findings and the larger problem at hand. To better safeguard users, Google has implemented the following changes to the Android platform:
A program cannot access the clipboard on Android 10 and later unless it is active (running on the device’s display) or set as the default input method editor (keyboard). This limitation prevents background programs from accessing the clipboard, but because the SHEIN application was active and running in the foreground, it would not have stopped the behavior described here.
When an application contacts the ClipboardManager to obtain clipboard data from another application for the first time on Android versions 12 and up, a toast notification alerts the user.
According to Microsoft, an Android device’s clipboard contents were being accessed needlessly by a version of the Shein shopping app that has more than 100 million installs on Google Play, potentially posing a security risk. In a blog post from Microsoft Threat Intelligence, the software behemoth said that it had requested Shein remove the functionality from its Android app that allowed access to user clipboards, and the latter had cooperated. Users must, however, update their programs in order to be safe.
Device clipboards can hold a wealth of private information, including passwords, account numbers, and all types of auto-fill information. According to a blog post by Microsoft, an outdated version of the Shein Android application regularly read the contents of the device’s clipboard and, if a specific pattern was present, transferred send the clipboard’s contents to a distant server. We determined that this conduct was not required for users to complete their duties on the app, even though we are not explicitly aware of any harmful intent driving the activity.