1. Home
  2. Techniques
  3. Mobile
  4. Capture Clipboard Data

Capture Clipboard Data

Adversaries may abuse Clipboard Manager APIs to obtain sensitive information copied to the global clipboard. For example, passwords being copy-and-pasted from a password manager app could be captured by another application installed on the device.[1]

On Android, ClipboardManager.OnPrimaryClipChangedListener can be used by applications to register as a listener and monitor the clipboard for changes.[2]

Android 10 mitigates this technique by preventing applications from accessing clipboard data unless the application is on the foreground or is set as the device’s default input method editor (IME).[3]

ID: T1414
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
MTC ID: APP-35
Version: 2.0
Created: 25 October 2017
Last Modified: 13 September 2019
Provided by LAYER 8

Procedure Examples

ID Name Description
S0421 GolfSpy

GolfSpy can obtain clipboard contents.[4]
S0295 RCSAndroid

RCSAndroid can monitor clipboard content.[5]
S0297 XcodeGhost

XcodeGhost can read and write data in the user’s clipboard.[6]

Mitigations

ID Mitigation Description
M1005 Application Vetting

Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.
M1006 Use Recent OS Version

Android 10 prevents applications from accessing clipboard data unless the application is on the foreground or is set as the device’s default input method editor (IME).[3]

Detection

Capturing clipboard content can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

References

  1. Fahl, S, et al.. (2013). Hey, You, Get Off of My Clipboard. Retrieved August 27, 2019.
  2. Pearce, G. (, January). Retrieved August 8, 2019.
  3. Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019.
  1. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.
  2. Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.
  3. Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.