An old version of the Shein mobile app, from the Chinese online fast fashion retailer, has been seen regularly using the contents of the Android device’s clipboard.
The findings come from Microsoft, who wrote about them in an advisory published Monday by Dimitrios Valsamaras and Michael Peck of the Microsoft 365 Defender Research Team.
“If there was a certain pattern present, [the app] sent the contents of the clipboard to a remote server. While we are not specifically aware of any malicious intent behind the behavior, we determined that this behavior was not necessary for users to perform their tasks on the app.”
After discovering the behavior, the tech giant reported it to Google (which runs the Android Play Store), which opened a related investigation.
“In May 2022, Google notified us and we confirmed that Shein has removed the behavior from the application,” the Microsoft advisory reads.
As a result of the revelation, Google has reportedly acknowledged the risks associated with clipboard access and made improvements to the Android operating system. Specifically on Android 10, applications cannot access the clipboard unless they have focus or are set as the default input method editor.
On Android 12, a toast message now lets users know when applications call the ClipboardManager for the first time to access another application’s clipboard data. And on Android 13, the contents of the clipboard are automatically cleared for added security.
Aside from the specific case of the Shein app, Microsoft stressed that threats targeting clipboards have already been seen in the wild.
“[These] could be at risk of having copied and pasted information stolen or altered by attackers, such as passwords, financial data, personal data, cryptocurrency wallet addresses, and other sensitive information,” Valsamaras and Peck wrote.
To protect against these threats, the security researchers recommend users to always keep apps updated and never install apps from untrusted sources.
“Consider removing applications with unexpected behavior, such as toast notifications for clipboard access, and report the behavior to the vendor or app store operator,” they added.
The Microsoft advisory comes months after Shein’s holding company, Zoetop, was fined $1.9 million for failing to properly inform customers about a data breach.
Editorial credit images: VicVa / Shutterstock.com