Chinese “fast fashion” brand SHEIN is no stranger to controversy, not least because of a 2018 data breach that its then-parent company Zoetop failed to spot, let alone to stop, and then handled dishonestly. As Letitia James, Attorney General of the State of New York, said in a statement at the end of 2022: SHEIN and [sister brand] ROMWE’s weak digital security measures made it easy for hackers to shoplift consumers’ personal data. […] [P]ersonal data was stolen and Zoetop tried to cover it up. Failing to protect consumers’ personal data and lying about it is not trendy. SHEIN and ROMWE must button up their cybersecurity measures to protect consumers from fraud and identity theft. At the time of the New York court judgment, we expressed surprise at the apparently modest $1.9 million fine imposed, considering the reach of the business. What we didn’t know, even as this case was grinding through the New York judicial system, was that SHEIN was adding some curious (and dubious, if not actually malicious) code to its Android app that turned it into a basic sort of “marketing spyware tool”. Microsoft researchers published a retrospective analysis of version 7.9.2 of SHEIN’s Android app, from early 2022 and found that the code, when triggered, reads in whatever happens to be in the clipboard, and then tests to see if it contains both :// and $, as you might expect if you’d copied and pasted a search result involving someone else’s website and a price in dollars. If the test succeeds, then the code sends a POST request to https://api-service.shein.com/marketing/tinyurl/phrase, with the encoded contents of the clipboard as a parameter. This behavior is concerning as it can put any copied and pasted information at risk of being stolen or modified by attackers, such as passwords, financial details, personal data, cryptocurrency wallet addresses, and other sensitive information. Google responded to this kind of behavior in otherwise-trusted apps by beefing up Android’s clipboard handling code and making clipboard access permissions more restrictive. Android 12 and later pops up a warning message to say “XYZ app pasted from your clipboard”, and Android 13 automatically wipes out the clipboard.
Key Points:
• Chinese “fast fashion” brand SHEIN is no stranger to controversy due to a 2018 data breach.
• SHEIN added curious and dubious code to its Android app which turned it into a basic sort of “marketing spyware tool”.
• Microsoft researchers found that the code reads in whatever is in the clipboard and tests to see if it contains both :// and $.
• If the test succeeds, then the code sends a POST request to https://api-service.shein.com/marketing/tinyurl/phrase, with the encoded contents of the clipboard as a parameter.
• Google beefed up Android’s clipboard handling code and made clipboard access permissions more restrictive.
• Android 12 and later pops up a warning message, and Android 13 automatically wipes out the clipboard.
