1. Home
  2. Techniques
  3. Mobile
  4. Clipboard Data

Clipboard Data

Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard. For example, passwords being copied and pasted from a password manager application could be captured by a malicious application installed on the device.[1]

On Android, applications can use the ClipboardManager.OnPrimaryClipChangedListener() API to register as a listener and monitor the clipboard for changes. However, starting in Android 10, this can only be used if the application is in the foreground, or is set as the device’s default input method editor (IME).[2][3]

On iOS, this can be accomplished by accessing the UIPasteboard.general.string field. However, starting in iOS 14, upon accessing the clipboard, the user will be shown a system notification if the accessed text originated in a different application. For example, if the user copies the text of an iMessage from the Messages application, the notification will read "application_name has pasted from Messages" when the text was pasted in a different application.[4]

ID: T1414
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
MTC ID: APP-35
Version: 3.1
Created: 25 October 2017
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1079 BOULDSPY

BOULDSPY can collect clipboard data.[5]
S0421 GolfSpy

GolfSpy can obtain clipboard contents.[6]
S1241 RatMilad

RatMilad has collected clipboard content.[7]

S0295 RCSAndroid

RCSAndroid can monitor clipboard content.[8]
S0297 XcodeGhost

XcodeGhost can read and write data in the user’s clipboard.[9]

Mitigations

ID Mitigation Description
M1006 Use Recent OS Version

Android 10 introduced changes to prevent applications from accessing clipboard data if they are not in the foreground or set as the device’s default IME.[3]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0643 Detection of Clipboard Data AN1719

Application vetting services could detect usage of standard clipboard APIs.
AN1720

Application vetting services could detect usage of standard clipboard APIs.

References

  1. Fahl, S, et al.. (2013). Hey, You, Get Off of My Clipboard. Retrieved September 12, 2024.
  2. Pearce, G. (, January). Retrieved August 8, 2019.
  3. Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019.
  4. Apple Developer. (n.d.). UIPasteboard. Retrieved April 1, 2022.
  5. Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.
  1. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.
  2. Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.
  3. Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.
  4. Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.