JUST RELEASED: ATT&CK for Industrial Control Systems

Capture Clipboard Data

Adversaries may abuse Clipboard Manager APIs to obtain sensitive information copied to the global clipboard. For example, passwords being copy-and-pasted from a password manager app could be captured by another application installed on the device.[1]

On Android, ClipboardManager.OnPrimaryClipChangedListener can be used by applications to register as a listener and monitor the clipboard for changes.[2]

Android 10 mitigates this technique by preventing applications from accessing clipboard data unless the application is on the foreground or is set as the device’s default input method editor (IME).[3]

ID: T1414
Tactic Type: Post-Adversary Device Access
Tactic: Collection, Credential Access
Platform: Android, iOS
MTC ID: APP-35
Version: 2.0
Created: 25 October 2017
Last Modified: 13 September 2019

Procedure Examples

Name Description
RCSAndroid

RCSAndroid can monitor clipboard content.[5]

XcodeGhost

XcodeGhost can read and write data in the user’s clipboard.[4]

Mitigations

Mitigation Description
Application Vetting

Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.

Use Recent OS Version

Android 10 prevents applications from accessing clipboard data unless the application is on the foreground or is set as the device’s default input method editor (IME).[3]

Detection

Capturing clipboard content can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

References