Capture Clipboard Data

Adversaries may abuse Clipboard Manager APIs to obtain sensitive information copied to the global clipboard. For example, passwords being copy-and-pasted from a password manager app could be captured by another application installed on the device.[1]

On Android, ClipboardManager.OnPrimaryClipChangedListener can be used by applications to register as a listener and monitor the clipboard for changes.[2]

Android 10 mitigates this technique by preventing applications from accessing clipboard data unless the application is on the foreground or is set as the device’s default input method editor (IME).[3]

ID: T1414
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactics: Collection, Credential Access
Platforms: Android, iOS
MTC ID: APP-35
Version: 2.0
Created: 25 October 2017
Last Modified: 13 September 2019

Procedure Examples

ID Name Description
S0421 GolfSpy

GolfSpy can obtain clipboard contents.[4]

S0295 RCSAndroid

RCSAndroid can monitor clipboard content.[5]

S0297 XcodeGhost

XcodeGhost can read and write data in the user’s clipboard.[6]

Mitigations

ID Mitigation Description
M1005 Application Vetting

Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.

M1006 Use Recent OS Version

Android 10 prevents applications from accessing clipboard data unless the application is on the foreground or is set as the device’s default input method editor (IME).[3]

Detection

Capturing clipboard content can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

References