T1414: Clipboard Data
Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard. For example, passwords being copied and pasted from a password manager application could be captured by a malicious application installed on the device.[1]
On Android, applications can use the `ClipboardManager.OnPrimaryClipChangedListener()` API to register as a listener and monitor the clipboard for changes. However, starting in Android 10, this can only be used if the application is in the foreground, or is set as the device’s default input method editor (IME).[2][3]
On iOS, this can be accomplished by accessing the `UIPasteboard.general.string` field. However, starting in iOS 14, upon accessing the clipboard, the user will be shown a system notification if the accessed text originated in a different application. For example, if the user copies the text of an iMessage from the Messages application, the notification will read “application_name has pasted from Messages” when the text was pasted in a different application.[4]
Analyst context for executives and security teams
Clipboard Data (T1414) matters because mobile users often copy sensitive information, including passwords from password managers, into the system clipboard. A malicious Android or iOS app may try to read that clipboard through platform APIs, turning a normal usability feature into a data exposure path. Modern Android and iOS versions add important friction, but coverage depends on device OS level, app behavior, and whether risky apps are present.
Executive priority
Treat this as a mobile data-protection and device-hygiene issue. Leaders should ask whether managed mobile devices are on recent OS versions, whether app approval processes account for clipboard access risk, and whether SOC/IR teams have any practical way to investigate suspicious clipboard access by mobile apps. The main business value is reducing leakage of credentials or sensitive copied text from enterprise mobile devices.
Technical view
This technique applies to Android and iOS. Android behavior centers on clipboard monitoring via ClipboardManager.OnPrimaryClipChangedListener(), with Android 10 limiting use to foreground apps or the default input method editor. iOS behavior centers on UIPasteboard.general.string, with iOS 14 notifying users when text from another app is accessed. ATT&CK provides no official detection text, but a related detection strategy, DET0643 Detection of Clipboard Data, is listed. SOC and mobile security teams should validate whether mobile telemetry, app vetting, and incident intake can identify suspicious clipboard access patterns or user reports of unexpected paste notifications.
Likely telemetry
- Mobile device OS version and patch-level inventory from MDM or equivalent management tooling
- Installed mobile application inventory, including sideloaded or unmanaged apps where visible
- Android default input method editor / keyboard configuration where available
- Mobile threat defense or app analysis findings related to clipboard API use
- User-reported iOS paste notifications indicating one app accessed clipboard content originating from another app
Detection direction
- Confirm what DET0643 or local mobile detection content actually observes, because the ATT&CK technique object does not include official detection logic.
- Prioritize review of apps that access clipboard data unexpectedly, especially when access is not clearly tied to a user-driven paste action.
- On Android, pay particular attention to apps running as the foreground app or configured as the default input method editor, since Android 10 narrowed clipboard access to these contexts.
- On iOS, incorporate user reports of unexpected clipboard access notifications into SOC triage workflows, while accounting for legitimate cross-app paste behavior.
- Use ATT&CK software relationships as context for threat-informed testing: RCSAndroid, XcodeGhost, GolfSpy, BOULDSPY, and RatMilad are listed as using this technique, but that does not by itself prove activity in a local environment.
Mitigation priorities
- Prioritize M1006 Use Recent OS Version for managed Android and iOS devices, because the supplied ATT&CK description notes clipboard privacy improvements in Android 10 and iOS 14.
- Maintain mobile OS compliance evidence so risk owners can see which devices lack the platform-level protections described by Android and Apple.
- Strengthen app governance and mobile app review for applications that request or implement clipboard-related behavior without a clear business need.
- Review and govern Android default keyboard/input method choices, since the ATT&CK description identifies default IME status as relevant to clipboard access after Android 10.
- Educate users and help desk teams to report unexpected iOS clipboard access notifications, especially on enterprise-managed devices.
Analyst notes and limits
The technique has no ATT&CK tactic listed in the supplied object and no official detection text. The strongest supplied mitigation relationship is M1006 Use Recent OS Version. Relationship context shows several Android and iOS malware/software entries using the technique, which supports prioritizing mobile telemetry and app vetting but should not be interpreted as evidence of current exploitation in any environment.
This take is limited to the supplied ATT&CK fields, external references, and relationships. It does not establish detection coverage, active exploitation, attribution, or customer exposure. Local device management data, mobile security telemetry, app inventories, and incident reports are required to assess real risk and coverage.
Clipboard Data
Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard. For example, passwords being copied and pasted from a password manager application could be captured by a malicious application installed on the device.[1]
On Android, applications can use the `ClipboardManager.OnPrimaryClipChangedListener()` API to register as a listener and monitor the clipboard for changes. However, starting in Android 10, this can only be used if the application is in the foreground, or is set as the device’s default input method editor (IME).[2][3]
On iOS, this can be accomplished by accessing the `UIPasteboard.general.string` field. However, starting in iOS 14, upon accessing the clipboard, the user will be shown a system notification if the accessed text originated in a different application. For example, if the user copies the text of an iMessage from the Messages application, the notification will read “application_name has pasted from Messages” when the text was pasted in a different application.[4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
S1241: RatMilad
RatMilad is an Android remote access tool (RAT) with spyware functionality that has been used to target enterprise mobile devices in the Middle East since at least 2021. Variants of RatMilad have been disguised as VPN applications and a fake app named NumRent. Upon installation, RatMilad employs multiple Collection techniques to collect sensitive information before uploading the collected data to its command and control (C2) server. [1]
S0297: XcodeGhost
XcodeGhost is iOS malware that infected at least 39 iOS apps in 2015 and potentially affected millions of users. [1] [2]
S0421: GolfSpy
GolfSpy is Android spyware deployed by the group Bouncing Golf.[1]
S1079: BOULDSPY
S0295: RCSAndroid
RCSAndroid is Android malware. [1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.1 | Current bundle | ee7e66239215… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Fahl-Clipboard
Fahl, S, et al.. (2013). Hey, You, Get Off of My Clipboard. Retrieved September 12, 2024.
Open source URL -
[2]
Github Capture Clipboard 2019
Pearce, G. (, January). Retrieved August 8, 2019.
Open source URL -
[3]
Android 10 Privacy Changes
Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019.
Open source URL -
[4]
UIPPasteboard
Apple Developer. (n.d.). UIPasteboard. Retrieved April 1, 2022.
Open source URL -
[5]
NIST Mobile Threat Catalogue APP-35Open source URL
-
[6]
mitre-attack T1414Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.