The app was found to send the contents of the clipboard to a remote server if a particular pattern was present, though it is not clear whether there was any malicious intent behind the behaviour.
Shein, the Chinese online fashion retailer, has come under scrutiny once again, after an old version of its mobile app was found to be accessing the contents of Android device clipboards.
The was discovered by Microsoft, whose Threat Intelligence Team collaborated with Google’s Android Security Team to ensure that the behaviour was removed from the app.
The app was found to send the contents of the clipboard to a remote server if a particular pattern was present, though it is not clear whether there was any malicious intent behind the behaviour. As a result of the disclosure, Google reportedly recognized the risks associated with clipboard access and made improvements to the Android OS.
Shein reportedly removed the behaviour from the application in May 2022, according to the Microsoft advisory. However, the incident has raised concerns about threats targeting clipboards that have already been spotted in the wild.
Shein is the latest Chinese app to be scrutinized by researchers for potentially shady behaviour. Last year, as reported by Hackread.com, TikTok’s in-app browser was identified as a potential threat, capable of monitoring user activity on external websites.
These threats can put any copied and pasted information at risk of being stolen or modified by attackers, including sensitive information such as passwords, financial details, and cryptocurrency wallet addresses.
To protect against these threats, security researchers recommend users always keep apps up to date and never install apps from untrusted sources. They also suggest removing applications with unexpected behaviours, such as clipboard access toast notifications, and reporting the behaviour to the vendor or app store operator.
Microsoft’s blog post also suggests that “Users can protect themselves by watching out for the clipboard access message. If the message unexpectedly shows, they should assume that any data on the clipboard has been potentially compromised, and they should consider removing any applications that make suspicious clipboard accesses.”
The incident comes months after Shein’s holding company, Zoetop, was fined $1.9m (£1.69m) for failing to properly inform 32 million customers of a data breach.
It is likely to further damage the retailer’s reputation, which has already faced criticism over its fast fashion practices and working conditions in its factories.
As more consumers become aware of the risks associated with mobile app security, retailers and app developers will need to take greater responsibility for protecting user data and privacy.