Shein‘s Android app moved clipboard data to remote servers


A flaw in an older version of Shein‘s Android app periodically read contents of the clipboard and sent the data to a remote server, Microsoft researchers discovered.

Researchers claim that the Android app for Shein, a Chinese fashion e-tailer, had a flaw that allowed clipboard data to be taken from unaware users and transferred to a remote server.

The number of affected users could be in the millions, as Shein’s Android app has over 100 million downloads on the Google Play Store.

ADVERTISEMENT

While Microsoft researchers are unaware of any malicious intent from the app developers, they deemed collecting clipboard data unnecessary for users to properly use the app.

“Even if Shein’s clipboard behavior involved no malicious intent, this case highlights the risks that installed applications can pose, including those that are highly popular and obtained from the platform’s official app store,” researchers said.

Researchers reached out to Google, and Shein subsequently fixed the issue with its Android app in May.

Losing clipboard data can be particularly dangerous since users copy and paste sensitive information, such as passwords or payment details.

“Examples even exist of attackers hijacking and replacing the clipboard contents for malicious purposes, such as modifying a copied cryptocurrency wallet address before the user pastes it into a crypto wallet app or chat message,” researchers claim.

Shein, originally called ZZKKO, was established in 2008. The company’s revenue exceeded $15 billion in 2021 and is expected to have surpassed $20 billion in 2022.

ADVERTISEMENT