Clipboard Data

Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard. For example, passwords being copied and pasted from a password manager application could be captured by a malicious application installed on the device.[1]

On Android, applications can use the ClipboardManager.OnPrimaryClipChangedListener() API to register as a listener and monitor the clipboard for changes. However, starting in Android 10, this can only be used if the application is in the foreground, or is set as the device’s default input method editor (IME).[2][3]

On iOS, this can be accomplished by accessing the UIPasteboard.general.string field. However, starting in iOS 14, upon accessing the clipboard, the user will be shown a system notification if the accessed text originated in a different application. For example, if the user copies the text of an iMessage from the Messages application, the notification will read "application_name has pasted from Messages" when the text was pasted in a different application.[4]

ID: T1414
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
MTC ID: APP-35
Version: 3.1
Created: 25 October 2017
Last Modified: 16 March 2023

Procedure Examples

ID Name Description
S1079 BOULDSPY

BOULDSPY can collect clipboard data.[5]

S0421 GolfSpy

GolfSpy can obtain clipboard contents.[6]

S0295 RCSAndroid

RCSAndroid can monitor clipboard content.[7]

S0297 XcodeGhost

XcodeGhost can read and write data in the user’s clipboard.[8]

Mitigations

ID Mitigation Description
M1006 Use Recent OS Version

Android 10 introduced changes to prevent applications from accessing clipboard data if they are not in the foreground or set as the device’s default IME.[3]

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting API Calls

Application vetting services could detect usage of standard clipboard APIs.

References