{
	"id": "711d2013-97df-454c-9783-a2ef045d85b1",
	"created_at": "2026-04-06T00:21:36.022096Z",
	"updated_at": "2026-04-10T13:13:08.934864Z",
	"deleted_at": null,
	"sha1_hash": "2c4d9b48547704a24c92330cecec0ae72ea25257",
	"title": "GitHub - grepx/android-clipboard-security: A project demonstrating a security hole In Android's API that allows any installed application to listen to changes to the clipboard (listen to everything that you copy and paste).",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 563157,
	"plain_text": "GitHub - grepx/android-clipboard-security: A project\r\ndemonstrating a security hole In Android's API that allows any\r\ninstalled application to listen to changes to the clipboard (listen to\r\neverything that you copy and paste).\r\nBy grepx\r\nArchived: 2026-04-05 16:15:23 UTC\r\nAndroid Clipboard Security Hole Demonstration App\r\nhttps://github.com/grepx/android-clipboard-security\r\nPage 1 of 8\n\nhttps://github.com/grepx/android-clipboard-security\r\nPage 2 of 8\n\nThis project demonstrates a security hole In Android's API that allows any installed application to listen to\r\nchanges to the clipboard (listen to everything that you copy and paste).\r\nIf it isn't clear why this is a genuine security hole consider that sensitive information is copied and pasted all of the\r\ntime:\r\nMany less security conscious users will copy and paste credit card numbers, bank details and passwords\r\nfrom other apps such as notes.\r\nMore security conscious users will often use password managers such as LastPass and 1Password and will\r\noften copy and paste passwords from the password manager app. How to protect against this attack is\r\nhttps://github.com/grepx/android-clipboard-security\r\nPage 3 of 8\n\ndiscussed below.\r\nPersonally, I've known about this hole for some time and have always been careful, but recently I entered\r\nmy credit card number into the wrong field on a form and quickly copied and pasted it across to the correct\r\nfield before realising what I was doing.\r\nThere are probably many more examples that can be given of reasons why sensitive information can pass through\r\nthe clipboard.\r\nHow it works\r\nThe important code for attack is contained within ClipboardWatcherService.java and the real meat of the attack\r\nis this line of code:\r\n((ClipboardManager) getSystemService(CLIPBOARD_SERVICE)).addPrimaryClipChangedListener(listener)\r\nClipboardManager is a system service that allows you to register a listener for when the clipboard changes.\r\nThere is no permission required to access this service despite the fact that exposing it is far more dangerous\r\nthan many of the things on Android that require permission to be granted.\r\nIt would be difficult to accurately detect whether an app is using this API. The CLIPBOARD_SERVICE string could\r\nbe generated at runtime, and the references to ClipboardManager and\r\nClipboardManager.OnPrimaryClipChangedListener could be constructed using reflection at runtime. Besides, its\r\ncurrently a valid API that has some valid use cases in certain apps such as looking up words in a dictionary or\r\nproviding additional clipboard functionality.\r\nWhen combined with the internet access via the android.permission.INTERNET permission attackers can\r\ntransmit your clipboard to a remote server. Almost every app has a good reason to request this permission and it\r\nwon't appear suspicious.\r\nDeploying the attack\r\nThe attack is designed to be incorporated into a simple malicious app that is then distributed via the Play store or\r\nelsewhere. There are over 2.4 million apps in the Play store, many of which are very simple apps that offer funny\r\npics, food recipes, wallpapers etc. They are cheap to make and require very little effort, template apps can be\r\nbought online. Google is quite good at removing malware from the store and the vast majority of apps are not\r\nmalicious. However, the risk remains and I believe that very few users realise how much access a seemingly\r\ninnocent app will have to their device, even without complex attack vectors or suspicious permissions.\r\nFrom my own experience watching user behaviour for my own apps on the Play store, many users keep apps\r\ninstalled that they haven't used for years. They forget they have them installed, and never bother to uninstall them.\r\nImproving the basic attack\r\nTo increase the potential of the attack I combined it with an alarm broadcast receiver that will run once a day and\r\nmake sure that the ClipboardWatcherService is still running (the user could have killed it or some battery\r\nmanager application might have done). This does not require any additional permissions.\r\nhttps://github.com/grepx/android-clipboard-security\r\nPage 4 of 8\n\nIn a real implementation I would probably batch the harvested clipboard data together and also use this alarm to\r\nupload it in the middle of the night when detection is less likely. The device is also likely be plugged in and\r\ncharging so it won't show up in the battery usage statistics, and the device is also likely connected to wifi so it\r\nwon't show up in the data usage statistics (more advanced optimisations are possible for checking both of those).\r\nStart on device bootup\r\nI also added the android.permission.RECEIVE_BOOT_COMPLETED permission, so that I can automatically start the\r\nClipboardWatcherService when the device boots up. Without this, I would have to wait for the user to open my\r\napp again after a system restart before I can start the service, and since I'm hoping the user has forgotten about my\r\napp this will never happen.\r\nThis permission will not be listed by the Play store during install, since it is not considered a \"special permission\".\r\nThe only way a paranoid user could detect that a random recipe/wallpaper pic app is suspiciously requesting this\r\npermission is by scrolling down to the bottom of the Play store profile page and clicking \"Permission Details\" to\r\nsee the full set of permissions (nobody does this).\r\nWith this permission I can capitalise for many years harvesting clipboard data from users who have forgotten that\r\nmy app is installed or haven't bothered to uninstall it.\r\nLog which apps are installed on the device\r\nAndroid has a few ways to learn about which apps are installed on the device, none of them require any additional\r\npermissions. The simplest is to just use PackageManager :\r\nfinal PackageManager pm = getPackageManager();\r\nList\u003cApplicationInfo\u003e packages = pm.getInstalledApplications(PackageManager.GET_META_DATA);\r\nfor (ApplicationInfo packageInfo : packages) {\r\nif (packageInfo.packageName.equals(\"com.agilebits.onepassword\") |\r\npackageInfo.packageName.equals(\"com.lastpass.lpandroid\")) {\r\nlog.append(packageInfo.packageName);\r\nlog.append(\" is installed.\\n\\n\");\r\n}\r\n}\r\nHere I have narrowed the search to just see if 1Password or LastPass is installed, but I could target bitcoin or\r\nbanking related apps or just send the entire list to a remote server.\r\nI could also have executed pm list packages in a background shell to get this information.\r\nThe problem with password managers\r\nPassword managers are particularly vulnerable to this attack since many encourage the user to copy and paste\r\npasswords out of the app and into the password box for the app in question and many users will use the app like\r\nthis, trusting the clipboard to be secure.\r\nhttps://github.com/grepx/android-clipboard-security\r\nPage 5 of 8\n\nBoth 1Password and LastPass include the ability to copy and paste passwords directly out of the app (as well as\r\ncredit card numbers etc.). In my opinion, this option should be removed from both password managers if they\r\nreally care about their user's security. The users who are not savvy enough to know better are probably the same\r\nones who install random apps off the Play store and keep them installed for years.\r\nThankfully, both also have ways to avoid using the clipboard and they should educate their users to only use these\r\nmethods.\r\nBoth are essentially identical to configure:\r\n1. Enable auto-fill by going to Settings → Accessibility → LastPass / 1Password. This will enable the\r\npassword manager to quickly autofill the forms in many apps.\r\n2. Enable the password manager's custom keyboard by going to Language \u0026 input → Current keyboard →\r\nChoose keyboards and switching it on. To enter the password, you need to switch from your usual\r\nkeyboard to the custom keyboard each time. It will allow you to insert the password without going via the\r\nclipboard. This is used when auto-fill fails, which is quite often. It's not very convenient, but it's the only\r\nsecure way (except for typing it).\r\nhttps://github.com/grepx/android-clipboard-security\r\nPage 6 of 8\n\nWith these 2 methods available, you should never copy and paste passwords or other important information\r\nvia the clipboard on Android.\r\nConclusion\r\nIn my opinion, clipboard manager access in Android should at least require the user to give permission, and it\r\nshould be a \"special permission\" that's clearly listed during installation on the Play store. Also, the\r\nandroid.permission.RECEIVE_BOOT_COMPLETED should be bumped up to a \"special permission\" that's listed\r\nduring installation. Perhaps an additional permission should be added for requesting to see which apps are\r\nhttps://github.com/grepx/android-clipboard-security\r\nPage 7 of 8\n\ninstalled on the device. The permission system is still abused by many apps though, and users are increasingly\r\nblind to permission requests, so this might not be enough.\r\nThe next level of protection would require apps to show a persistent notification while they are listening to the\r\nclipboard. All of the apps that have a valid use case for listening to the clipboard such as dictionary lookups and\r\nclipboard helpers do this anyway.\r\nSource: https://github.com/grepx/android-clipboard-security\r\nhttps://github.com/grepx/android-clipboard-security\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/grepx/android-clipboard-security"
	],
	"report_names": [
		"android-clipboard-security"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434896,
	"ts_updated_at": 1775826788,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2c4d9b48547704a24c92330cecec0ae72ea25257.pdf",
		"text": "https://archive.orkl.eu/2c4d9b48547704a24c92330cecec0ae72ea25257.txt",
		"img": "https://archive.orkl.eu/2c4d9b48547704a24c92330cecec0ae72ea25257.jpg"
	}
}