cti/mobile-attack/attack-pattern/attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb.json

{
    "type": "bundle",
    "id": "bundle--87d017b5-1ce1-4936-b2a4-df6cebdf1740",
    "spec_version": "2.0",
    "objects": [
        {
            "external_references": [
                {
                    "url": "https://attack.mitre.org/techniques/T1510",
                    "source_name": "mitre-mobile-attack",
                    "external_id": "T1510"
                },
                {
                    "description": "ESET. (2019, February 11). First clipper malware discovered on Google Play.. Retrieved July 26, 2019.",
                    "url": "https://www.eset.com/uk/about/newsroom/press-releases/first-clipper-malware-discovered-on-google-play-1/",
                    "source_name": "ESET Clipboard Modification February 2019"
                },
                {
                    "description": "Luk\u00e1\u0161 \u0160tefanko. (2019, February 8). First clipper malware discovered on Google Play. Retrieved July 26, 2019.",
                    "url": "https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/",
                    "source_name": "Welivesecurity Clipboard Modification February 2019"
                },
                {
                    "description": "Zhang, X; Du, W. (2014, January). Attacks on Android Clipboard. Retrieved July 26, 2019.",
                    "url": "http://www.cis.syr.edu/~wedu/Research/paper/clipboard_attack_dimva2014.pdf",
                    "source_name": "Syracuse Clipboard Modification 2014"
                },
                {
                    "source_name": "Dr.Webb Clipboard Modification origin2 August 2018",
                    "url": "https://vms.drweb.com/virus/?i=17517761",
                    "description": "Dr.Webb. (2018, August 8). Android.Clipper.2.origin. Retrieved July 26, 2019."
                },
                {
                    "description": "Dr.Webb. (2018, August 8). Android.Clipper.1.origin. Retrieved July 26, 2019.",
                    "url": "https://vms.drweb.com/virus/?i=17517750",
                    "source_name": "Dr.Webb Clipboard Modification origin August 2018"
                },
                {
                    "description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019.",
                    "url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data",
                    "source_name": "Android 10 Privacy Changes"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "name": "Clipboard Modification",
            "description": "Adversaries may abuse clipboard functionality to intercept and replace information in the Android device clipboard.(Citation: ESET Clipboard Modification February 2019)(Citation: Welivesecurity Clipboard Modification February 2019)(Citation: Syracuse Clipboard Modification 2014) Malicious applications may monitor the clipboard activity through the <code>ClipboardManager.OnPrimaryClipChangedListener</code> interface on Android to determine when the clipboard contents have changed.(Citation: Dr.Webb Clipboard Modification origin2 August 2018)(Citation: Dr.Webb Clipboard Modification origin August 2018) Listening to clipboard activity, reading the clipboard contents, and modifying the clipboard contents requires no explicit application permissions and can be performed by applications running in the background, however, this behavior has changed with the release of Android 10.(Citation: Android 10 Privacy Changes)\n\nAdversaries may use [Clipboard Modification](https://attack.mitre.org/techniques/T1510) to replace text prior to being pasted, for example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.\n\n[Clipboard Modification](https://attack.mitre.org/techniques/T1510) had been seen within the Android/Clipper.C trojan. This sample had been detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)",
            "id": "attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb",
            "type": "attack-pattern",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-mobile-attack",
                    "phase_name": "impact"
                }
            ],
            "modified": "2019-10-28T18:36:26.261Z",
            "created": "2019-07-26T14:15:31.451Z",
            "x_mitre_detection": "Modifying clipboard content can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
            "x_mitre_version": "1.0",
            "x_mitre_tactic_type": [
                "Post-Adversary Device Access"
            ],
            "x_mitre_platforms": [
                "Android"
            ]
        }
    ]
}