Skip to content

T1641.001 Transmitted Data Manipulation

Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, or decision making.

Manipulation may be possible over a network connection or between system processes where there is an opportunity to deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.

One method to achieve Transmitted Data Manipulation is by modifying the contents of the device clipboard. Malicious applications may monitor clipboard activity through the ClipboardManager.OnPrimaryClipChangedListener interface on Android to determine when clipboard contents have changed. Listening to clipboard activity, reading clipboard contents, and modifying clipboard contents requires no explicit application permissions and can be performed by applications running in the background. However, this behavior has changed with the release of Android 10.

Adversaries may use Transmitted Data Manipulation to replace text prior to being pasted. For example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.

Transmitted Data Manipulation was seen within the Android/Clipper.C trojan. This sample was detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.1

Item Value
ID T1641.001
Sub-techniques T1641.001
Tactics TA0034
Platforms Android
Version 1.1
Created 06 April 2022
Last Modified 20 March 2023

Procedure Examples

ID Name Description
S1062 S.O.V.A. S.O.V.A. can manipulate clipboard data to replace cryptocurrency addresses.3


ID Mitigation Description
M1006 Use Recent OS Version Android 10 prevents applications from accessing clipboard data unless the application is on the foreground or is set as the device’s default input method editor (IME).2


ID Data Source Data Component
DS0041 Application Vetting API Calls