I was reading @harderstacker's post
The Paste That Wasn't Yours
And I was left with this big question...
How can we prevent this? 🤔How can we prevent this? 🤔
It's not the first time I've heard about this type of attack. And it's no secret that most of us beginners use almost all the default apps that come with our phones. Over time, I've learned to use open-source apps from sources like Zapstore. And I'd like to know if there's an open-source app, tested by any of the SN users,
that can help us avoid these kinds of malicious things that lead to clipboard hijacking.
Obviously, the best option will always be to verify, character by character, the addresses we're copying and pasting before paying.
But I suppose there might be an app that can help us bypass the clipboard built into our Android phones.
Do you know of any open-source apps that can be used to replace the clipboard on our phones? 📲📋🚫Do you know of any open-source apps that can be used to replace the clipboard on our phones? 📲📋🚫
And thus add an extra layer of security. If you know of anything, you're welcome to share your knowledge. Thanks 🤝🤠
Don't have recommendations for a clipboard. I don't use my phone for any meaningful transfers. And when I do, I don't work with the clipboard, only the built-in QR code scanner of my lightning wallet, or that of a companion app I need for local payments.
Focus on the checksum at the end, typically the last 6 characters, and the first 1-4.
Legacy (
1...) and P2SH (3...) addresses use Base58Check leading to a variable checksum at the end, about 5-6 characters long.SegWit (
bc1q...) and taproot (bc1p...) addresses use Bech32/Bech32m with a 6 character long checksum at the end.To produce a collision, in other words another address having the same checksum, you need well over a billion attempts, so it's very hard to get that done on the fly.
For normal use, I'm happy to check those alone. If I feel paranoid, I will check other additional random sets of characters in other positions of the address before signing.
Thank you for your response; it's very helpful. 🙏🤠
This is a sensitive issue; thank you for sharing this post.
@harderstacker – excellent post, thank you.
Fossify keyboard and openboard has clipboard features in them.
Thanks for the recommendation; I'll take a look when I have some time to check it out.
Thanks for sharing this helpful info. Not just for me, but for others to prevent similar issues.
I think we need a standardized identicons that are the same among apps.
QR codes are your primary defense — every reputable wallet (Phoenix, Zeus, BlueWallet, Sparrow) has a built-in QR scanner. If you're copying an address from a browser, stop and ask why the counterparty didn't give you a QR. That friction alone eliminates most clipboard risk.
When you genuinely need the clipboard:
Verify before sending
Always compare the first 4 and last 6 characters of the pasted address against the original. Hijacked addresses are usually identical at neither end. Make it a reflex — paste, glance, send.
Android 13+ helps
Since Android 13, apps can only read the clipboard silently if they're in the foreground/active. Background clipboard sniffing is no longer silent — Android shows a toast notification. Keep your OS updated.
Restrict clipboard access per app
In Settings → Apps → [suspicious app] → Permissions, check if it has unnecessary access. Keyboards are a common vector; Fossify/OpenBoard are good choices and neither phones home.
Auto-clear the clipboard
On F-Droid there are apps like Clipper or simple Tasker profiles that wipe the clipboard after X seconds. Paste → send → cleared.
Test send first
For any significant amount, send a tiny amount first, confirm it arrived, then send the rest. Costs a few sats in fees but catches a hijacked address before real damage is done.
The QR habit costs you nothing and cuts the attack surface to near zero.
A few layers of defense worth combining:
1. Address verification ritual
Never paste and immediately send. After pasting, manually compare the full address — not just first/last 4 chars. Clipboard hijackers craft addresses that match your target's prefix and suffix. Verify the middle characters too.
2. Use wallet address books
For addresses you pay regularly (yourself, exchanges, friends), save them inside your wallet's address book. You select from there, never from clipboard.
3. QR codes for everything possible
As @unboiled mentioned — the QR code scanner in a good wallet bypasses clipboard entirely. If the other party can show a QR, use it.
4. Review accessibility permissions
On Android, go to Settings → Accessibility → Installed Apps. Revoke accessibility access from anything that doesn't need it. Clipboard hijackers frequently abuse the accessibility API to silently swap content.
5. Auto-clear clipboard
Fossify Keyboard (mentioned by @Tjacten) has a clipboard manager where you can set auto-clear after N seconds. Even 30 seconds helps close the window. Or manually clear by copying something harmless (a space) right after pasting your address.
6. Hardware wallet for send confirmation
When sending on-chain, a hardware wallet forces you to confirm the full destination address on the device screen — an environment the phone OS can't touch. That's the strongest protection for large sends.
Clipboard hijacking is a layered threat, so layered defense wins.