A keyboard and a shopping cart are seen in front of a displayed Shein logo in this illustration picture taken October 13, 2020.
A keyboard and a shopping cart are seen in front of a displayed Shein logo in this illustration picture taken October 13, 2020. Reuters / Dado Ruvic

KEY POINTS

  • An old version of Shein's Android app periodically read the contents of Android devices' clipboard
  • It is unclear whether there was malicious intent behind the behavior
  • Shein's parent company was fined in October 2022 over a data breach

An old version of Chinese online fast fashion retailer Shein's mobile app was found to be accessing clipboard content on Android devices before being detected and reported by Microsoft to Google.

In a report released Monday, Microsoft said it discovered that an old version of Shein's Android app periodically read the contents of Android devices' clipboards and sent these contents to an unknown remote server if a particular pattern was present.

However, Microsoft said that it was unclear whether there was any malicious intent behind the behavior.

"Considering mobile users often use the clipboard to copy and paste sensitive information, like passwords or payment information, clipboard contents can be an attractive target for cyberattacks," Microsoft wrote. "Leveraging clipboards can enable attackers to collect target information and exfiltrate useful data."

Microsoft's Threat Intelligence Team discovered the behavior and reported the findings to Google's Android Security Team, which then ensured the behavior was removed from the app.

Shein, whose Android app is currently available on the Google Play Store with over 100 million downloads, reportedly removed the behavior from the app in May last year.

According to Microsoft, even if Shein's clipboard behavior had no malicious intent, the case still highlights the risks that even legitimate apps can pose.

"Even if Shein's clipboard behavior involved no malicious intent, this example case highlights the risks that installed applications can pose, including those that are highly popular and obtained from the platform's official app store," Microsoft said.

Users can protect themselves by watching out for the clipboard access message, the company said.

"If the message unexpectedly shows, they should assume that any data on the clipboard has been potentially compromised, and they should consider removing any applications that make suspicious clipboard accesses," Microsoft said.

The incident is the latest in Shein's string of controversies, which include a data breach in 2018 that led to a $1.9 million fine in October last year.

The New York Attorney General's office fined Shein's owner Zoetop after the latter reportedly failed to safeguard customer data and to inform millions of account holders that their personal information had been exposed, the BBC previously reported.

The log-in details of 39 million Shein accounts were stolen in 2018 by hackers. Zoetop allegedly notified "only a fraction" of affected customers and downplayed the extent of the data breach by reporting that only 6.42 million Shein accounts had been exposed in the incident.

The fast fashion giant also faced criticisms over its practices, including allegedly copying the work of designers and violating labor laws, according to a New York Times report.

Britain's Boohoo, China's SHEIN and Hong Kong's Emmiol operate the same internet-based business model -- produce items and collections at breakneck speed and rock-bottom prices
Britain's Boohoo, China's SHEIN and Hong Kong's Emmiol operate the same internet-based business model -- produce items and collections at breakneck speed and rock-bottom prices AFP / Jade Gao