{"id":126288,"date":"2023-03-06T09:00:00","date_gmt":"2023-03-06T17:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=126288"},"modified":"2024-07-03T07:59:07","modified_gmt":"2024-07-03T14:59:07","slug":"protecting-android-clipboard-content-from-unintended-exposure","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/06\/protecting-android-clipboard-content-from-unintended-exposure\/","title":{"rendered":"Protecting Android clipboard content from unintended exposure"},"content":{"rendered":"\n

Considering mobile users often use the clipboard to copy and paste sensitive information, like passwords or payment information, clipboard contents can be an attractive target for cyberattacks<\/a>. Leveraging clipboards can enable attackers to collect target information and exfiltrate useful data. Examples even exist of attackers hijacking and replacing the clipboard contents<\/a> for malicious purposes, such as modifying a copied cryptocurrency wallet address<\/a> before the user pastes it into a crypto wallet app or chat message. Moreover, these types of attacks misuse a legitimate system feature rather than exploit a vulnerability, making the issue more challenging to mitigate.<\/p>\n\n\n\n

Microsoft discovered that an old version of the SHEIN Android application periodically read the contents of the Android device clipboard and, if a particular pattern was present, sent the contents of the clipboard to a remote server. While we are not specifically aware of any malicious intent behind the behavior, we assessed that this behavior was not necessary for users to perform their tasks on the app.<\/p>\n\n\n\n

SHEIN\u2019s Android application is published on the Google Play Store with over 100 million downloads. Even if SHEIN\u2019s clipboard behavior involved no malicious intent, this example case highlights the risks that installed applications can pose, including those that are highly popular and obtained from the platform\u2019s official app store. We reported our findings to Google, the Play Store operator, leading to an investigation by their Android Security Team. In May 2022, Google informed us and we confirmed that SHEIN removed the behavior from the application. We would like to thank Google\u2019s Android Security Team as well as the SHEIN team for their efforts and collaboration in addressing this issue. We would also like to thank the Google team for the improvements implemented to the Android platform to protect users from the risks associated with anomalous clipboard access.<\/p>\n\n\n\n

In this blog, we detail how we identified the SHEIN app\u2019s clipboard behavior and how Android users can protect themselves against clipboard-based attacks. We also share this research with the larger security community to emphasize the importance of collaboration in the effort to improve security for all.<\/p>\n\n\n\n

Static and dynamic analysis<\/h2>\n\n\n\n

The following analysis details how we identified and verified the presence of the SHEIN app\u2019s clipboard behavior, analyzing SHEIN app version 7.9.2 (SHA-256: ff07dc6e237acd19cb33e35c60cb2ae52c460aac76bc27116d8de76abec66c51<\/em>). We first performed a static analysis of the app to identify the relevant code responsible for the behavior. We then performed a dynamic analysis by running the app in an instrumented environment to observe the code, including how it read the clipboard and sent its contents to a remote server.<\/p>\n\n\n\n

\"Call
Figure 1. An example of a call chain through the SHEIN app resulting in clipboard access<\/figcaption><\/figure>\n\n\n\n

Identifying the code<\/h3>\n\n\n\n

Upon opening the application, the launcher activity com.shein.user_service.welcome.WelcomeActivity<\/em> extends the com.zzkko.base.ui.BaseActivity<\/em> class, which performs a call to the iBaseActivityCallBack.h <\/em>method in the onResume<\/em> callback, depicted below on Line 11: <\/p>\n\n\n\n

\"graphical
Figure 2. The com.zzkko.base.ui.BaseActivity<\/em> class performing a call to the iBaseActivityCallBack.h<\/em> method in the onResume <\/em>callback  <\/figcaption><\/figure>\n\n\n\n

The com.zzkko.app.iBaseActivityCallBack<\/em>is aninterfaceimplemented by the com.zzkko.app.BaseActivityCallBack.<\/em> The method h<\/em>, partially depicted below, from the previous call performs a call to the method o<\/em> in the same class, as shown on Line 16: <\/p>\n\n\n\n

\"graphical
Figure 3. Method h<\/em> performing a call to the method o<\/em> in the same class<\/figcaption><\/figure>\n\n\n\n

Finally, in thecom.zzkko.app.BaseActivityCallBack.o<\/em> method there is a call to the com.zzkko.util.MarketClipboardPhaseLinker.f<\/em> method, shown on Line 2:  <\/p>\n\n\n\n

\"graphical
Figure 4. The com.zzkko.app.BaseActivityCallBack.o<\/em> method calls the com.zzkko.util.MarketClipboardPhaseLinker.f<\/em> method<\/figcaption><\/figure>\n\n\n\n

Method com.zzkko.app.BaseActivityCallBack.f,<\/em> depicted below, checks whether the character sequences \u201c$\u201d and \u201c:\/\/\u201d are present in the clipboard text, depicted on Line 6. If both are present, method k <\/em>in the same class is called with the clipboard text provided as a parameter, as shown on Line 8: <\/p>\n\n\n\n

\"graphical
Figure 5. The com.zzkko.app.BaseActivityCallBack.f<\/em> method checks the clipboard for \u201c$\u201d and \u201c:\/\/\u201d, providing the clipboard text as a parameter to method k<\/em><\/figcaption><\/figure>\n\n\n\n

Method com.zzkko.app.BaseActivityCallBack.k<\/em>initiates a flow that performs a POST request to the server at BaseUrlConstant.APP_URL<\/em> + \u201c\/marketing\/tinyurl\/phrase<\/em>\u201d, which resolves to https:\/\/api-service[.]shein[.]com\/marketing\/tinyurl\/phrase<\/em>:<\/p>\n\n\n\n

\"graphical
Figure 6. Method com.zzkko.app.BaseActivityCallBack.k<\/em> initiating a flow, whichperforms a POST request to the server at BaseUrlConstant.APP_URL<\/em> + \u201c\/marketing\/tinyurl\/phrase<\/em>\u201d<\/figcaption><\/figure>\n\n\n\n

Since all of the application\u2019s activities (user interfaces) extend com.zzkko.base.ui.BaseActivity<\/em>, the call chain described above was triggered any time the user launched a new activity, such as by starting or resuming the application or performing certain actions within the app.<\/p>\n\n\n\n

Verifying the code\u2019s clipboard behavior<\/h3>\n\n\n\n

To verify our static analysis findings, we performed a dynamic analysis of the application, which we installed from the Google Play Store onto a Samsung device running Android 9.<\/p>\n\n\n\n

We used Frida<\/a> to intercept calls to the android.content.ClipboardManager.getText<\/em> and com.zzkko.util.MarketClipboardPhaseLinker.f<\/em> methods to analyze the application\u2019s clipboard behavior.  We also used Frida to bypass the application\u2019s certificate pinning to enable us to analyze network traffic using Burp Proxy<\/a>.<\/p>\n\n\n\n

We set the contents of the device clipboard to https:\/\/mybank[.]com\/token=secretToken&transaction=100$<\/em> and opened the application.<\/p>\n\n\n\n

Upon opening the application, the following calls were logged: <\/p>\n\n\n\n

\"Graphical
Figure 7. Call log displaying the app\u2019s clipboard filtering<\/figcaption><\/figure>\n\n\n\n

In Figure 7 above, we observe the following: <\/p>\n\n\n\n