Skip to content

T1414 Clipboard Data

Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard. For example, passwords being copied and pasted from a password manager application could be captured by a malicious application installed on the device.3

On Android, applications can use the ClipboardManager.OnPrimaryClipChangedListener() API to register as a listener and monitor the clipboard for changes. However, starting in Android 10, this can only be used if the application is in the foreground, or is set as the device’s default input method editor (IME).41

On iOS, this can be accomplished by accessing the UIPasteboard.general.string field. However, starting in iOS 14, upon accessing the clipboard, the user will be shown a system notification if the accessed text originated in a different application. For example, if the user copies the text of an iMessage from the Messages application, the notification will read “application_name has pasted from Messages” when the text was pasted in a different application.2

Item Value
ID T1414
Sub-techniques
Tactics TA0035, TA0031
Platforms Android, iOS
Version 3.1
Created 25 October 2017
Last Modified 16 March 2023

Procedure Examples

ID Name Description
S0421 GolfSpy GolfSpy can obtain clipboard contents.6
S0295 RCSAndroid RCSAndroid can monitor clipboard content.7
S0297 XcodeGhost XcodeGhost can read and write data in the user’s clipboard.5

Mitigations

ID Mitigation Description
M1006 Use Recent OS Version Android 10 introduced changes to prevent applications from accessing clipboard data if they are not in the foreground or set as the device’s default IME.1

Detection

ID Data Source Data Component
DS0041 Application Vetting API Calls

References

  1. Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019. 

  2. Apple Developer. (n.d.). UIPasteboard. Retrieved April 1, 2022. 

  3. Fahl, S, et al.. (2013). Hey, You, Get Off of My Clipboard. Retrieved August 27, 2019. 

  4. Pearce, G. (, January). Retrieved August 8, 2019. 

  5. Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016. 

  6. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020. 

  7. Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.