T1641.001: Transmitted Data Manipulation
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Manipulation may be possible over a network connection or between system processes where there is an opportunity to deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.
One method to achieve Transmitted Data Manipulation is by modifying the contents of the device clipboard. Malicious applications may monitor clipboard activity through the `ClipboardManager.OnPrimaryClipChangedListener` interface on Android to determine when clipboard contents have changed. Listening to clipboard activity, reading clipboard contents, and modifying clipboard contents requires no explicit application permissions and can be performed by applications running in the background. However, this behavior has changed with the release of Android 10.
Adversaries may use Transmitted Data Manipulation to replace text prior to being pasted. For example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.
Transmitted Data Manipulation was seen within the Android/Clipper.C trojan. This sample was detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.[1]
Analyst context for executives and security teams
Transmitted Data Manipulation on Android matters because it targets trust in data before it reaches its intended destination. In practical terms, a malicious mobile app could change information moving between user actions, apps, storage, or external systems, such as replacing copied payment or cryptocurrency wallet text before it is pasted. The business issue is not only device compromise; it is corrupted decisions, fraudulent transactions, or hidden activity based on data users and systems believe is accurate.
Executive priority
Prioritize this where Android devices are used for financial workflows, cryptocurrency activity, customer service, field operations, approvals, or other processes where copied, transmitted, or app-to-app data affects business outcomes. Leaders should ask whether mobile OS currency, mobile app governance, and monitoring provide evidence that high-risk devices are resilient against known Android clipboard and transmission-manipulation behaviors. This technique also supports audit and incident-readiness questions: can the organization prove which mobile devices are on recent OS versions, which apps are allowed, and what evidence would exist if mobile-originated data integrity were questioned?
Technical view
This is a mobile ATT&CK sub-technique of Data Manipulation for Android. MITRE does not provide official detection text for this object, but it is related to detection strategy DET0683 and mitigation M1006, Use Recent OS Version. Defenders should validate whether Android fleet telemetry, mobile threat defense, EMM/MDM posture data, and app inventory can identify risky or unexpected applications, outdated Android versions, and suspicious clipboard-oriented behavior where observable. IR teams should treat suspected cases as data-integrity incidents as well as malware incidents: determine what data may have been changed in transit, what business process consumed it, and whether downstream records or transactions need review.
Likely telemetry
- Android OS version and patch-level posture from EMM/MDM or mobile inventory
- Installed application inventory, application source, and app reputation signals
- Mobile security alerts related to Android malware or suspicious application behavior
- Clipboard-related behavioral evidence where available from mobile security tooling or app instrumentation
- User reports of pasted values differing from copied values, especially payment or wallet strings
Detection direction
- Because MITRE provides no official detection procedure, validate coverage against DET0683 locally rather than assuming visibility exists.
- Tune mobile detections around anomalous or unwanted Android applications, especially apps running in the background that interact with copied content or sensitive workflows.
- Correlate mobile app inventory, OS version, and user-reported data mismatch events with downstream transaction anomalies.
- Account for false positives from legitimate clipboard managers, password managers, productivity tools, or enterprise apps that may interact with clipboard data.
- Pay special attention to Android versions before behavior changes introduced with Android 10, while still validating controls across the current fleet.
Mitigation priorities
- Use M1006 as the control priority: maintain recent Android OS versions because newer mobile OS releases may include security architecture improvements that block observed techniques.
- Enforce mobile device compliance for OS version, patch level, and approved application sources before allowing access to sensitive business workflows.
- Restrict or review untrusted applications on devices used for financial, approval, cryptocurrency, or operational decision processes.
- Prepare incident response playbooks that include validation of altered mobile-originated data, not just removal of a suspicious application.
- Educate users in high-risk workflows to verify pasted destination values when the business impact of a changed value would be material.
Analyst notes and limits
The supplied ATT&CK object is specific to Android and includes clipboard modification as one method of transmitted data manipulation. The relationship context notes use by S.O.V.A. and BRATA and that older Clipboard Modification technique T1510 was revoked by this object. This take treats the behavior as a data-integrity and mobile-risk problem rather than only a malware alerting problem.
ATT&CK does not specify tactics for this object and provides no official detection text. The supplied fields do not establish active exploitation against any specific organization, guaranteed detection methods, or non-Android platform applicability. Local evidence from mobile management, security tooling, application inventories, and affected business processes is required to assess exposure and coverage.
Transmitted Data Manipulation
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Manipulation may be possible over a network connection or between system processes where there is an opportunity to deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.
One method to achieve Transmitted Data Manipulation is by modifying the contents of the device clipboard. Malicious applications may monitor clipboard activity through the `ClipboardManager.OnPrimaryClipChangedListener` interface on Android to determine when clipboard contents have changed. Listening to clipboard activity, reading clipboard contents, and modifying clipboard contents requires no explicit application permissions and can be performed by applications running in the background. However, this behavior has changed with the release of Android 10.
Adversaries may use Transmitted Data Manipulation to replace text prior to being pasted. For example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.
Transmitted Data Manipulation was seen within the Android/Clipper.C trojan. This sample was detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1641 | Data Manipulation | This object subtechnique of Data Manipulation. |
| Mobile | T1510 | Clipboard Modification | Clipboard Modification revoked by this object. |
Groups, software, and campaigns
S1094: BRATA
BRATA (Brazilian Remote Access Tool, Android), is an evolving Android malware strain, detected in late 2018 and again in late 2021. Originating in Brazil, BRATA was later also found in the UK, Poland, Italy, Spain, and USA, where it is believed to have targeted financial institutions such as banks. There are currently three known variants of BRATA.[1][2][3]
S1062: S.O.V.A.
S.O.V.A. is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. S.O.V.A., which is Russian for "owl", contains features not commonly found in Android malware, such as session cookie theft.[1][2]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 501af918a933… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Clipboard Modification February 2019
ESET. (2019, February 11). First clipper malware discovered on Google Play.. Retrieved July 26, 2019.
Open source URL -
[2]
mitre-attack T1641.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.