Shein’s Android Application Found Sending Clipboard Data to External Servers

Chinese online fashion retailer, Shein, has been found to have had a bug in an older version of its Android application that periodically captured and transmitted clipboard contents to a remote server. The issue was discovered by the Microsoft 365 Defender Research Team in version 7.9.2 of the app, which was released on December 16, 2021. The issue has since been addressed as of May 2022.

Shein, formerly known as ZZKKO, is based in Singapore and has over 100 million downloads on the Google Play Store. The tech giant has stated that it is not “specifically aware of any malicious intent behind the behavior” but has noted that the function isn’t necessary to perform tasks on the app.

To mitigate such privacy risks, Google has made improvements to Android in recent years, including displaying toast messages when an app accesses the clipboard and barring apps from getting the data unless it is actively running in the foreground.

Mobile users often use the clipboard to copy and paste sensitive information, like passwords or payment information. Clipboard contents can be an attractive target for cyberattacks, according to researchers Dimitrios Valsamaras and Michael Peck. They further said, “Leveraging clipboards can enable attackers to collect target information and exfiltrate useful data.”

Given the prevalence of cyberattacks involving sensitive information, it is now more important than ever to be vigilant about what we share online.