Attention Android users! If you have the Shein app installed on your device, you may want to update it to the latest version. Microsoft 365 Defender Research Team discovered a bug in version 7.9.2 of the app, released on December 16, 2021, which periodically captured and transmitted clipboard contents to a remote server. This could include sensitive information like passwords and payment details.
Shein, a popular Chinese online fast fashion retailer, has since addressed the issue as of May 2022. The company claims there was no malicious intent behind the behavior, but the function was unnecessary to perform tasks on the app. However, it’s important to note that launching the app after copying any content to the device clipboard automatically triggered an HTTP POST request containing the data to the server “api-service[.]shein[.]com.”
To prevent such privacy risks, Google has made improvements to Android, including displaying toast messages when an app accesses the clipboard and barring apps from getting the data unless it is actively running in the foreground. But it’s still crucial to be cautious when using the clipboard, as attackers can leverage it to collect and exfiltrate useful data.
Protect your privacy and stay safe while using apps by updating them regularly and keeping an eye out for any suspicious activity.
