- Home
- Techniques
- Mobile
- Capture Clipboard Data
Capture Clipboard Data
Adversaries may abuse Clipboard Manager APIs to obtain sensitive information copied to the global clipboard. For example, passwords being copy-and-pasted from a password manager app could be captured by another application installed on the device.[1]
On Android, ClipboardManager.OnPrimaryClipChangedListener
can be used by applications to register as a listener and monitor the clipboard for changes.[2]
Android 10 mitigates this technique by preventing applications from accessing clipboard data unless the application is on the foreground or is set as the device’s default input method editor (IME).[3]
Procedure Examples
Name | Description |
---|---|
GolfSpy | |
RCSAndroid |
RCSAndroid can monitor clipboard content.[5] |
XcodeGhost |
XcodeGhost can read and write data in the user’s clipboard.[6] |
Mitigations
Mitigation | Description |
---|---|
Application Vetting |
Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them. |
Use Recent OS Version |
Android 10 prevents applications from accessing clipboard data unless the application is on the foreground or is set as the device’s default input method editor (IME).[3] |
Detection
Capturing clipboard content can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.
References
- E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.
- Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.
- Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.