Clipboard Modification

Adversaries may abuse clipboard functionality to intercept and replace information in the Android device clipboard.[1][2][3] Malicious applications may monitor the clipboard activity through the ClipboardManager.OnPrimaryClipChangedListener interface on Android to determine when the clipboard contents have changed.[4][5] Listening to clipboard activity, reading the clipboard contents, and modifying the clipboard contents requires no explicit application permissions and can be performed by applications running in the background, however, this behavior has changed with the release of Android 10.[6]

Adversaries may use Clipboard Modification to replace text prior to being pasted, for example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.

Clipboard Modification had been seen within the Android/Clipper.C trojan. This sample had been detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.[1]

ID: T1510
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Impact
Platforms: Android
Version: 1.0
Created: 26 July 2019
Last Modified: 28 October 2019

Mitigations

ID Mitigation Description
M1005 Application Vetting

Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.

M1006 Use Recent OS Version

Android 10 prevents applications from accessing clipboard data unless the application is on the foreground or is set as the device’s default input method editor (IME).[6]

Detection

Modifying clipboard content can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

References