Input Capture: Keylogging

ID Name
T1417.001 Keylogging
T1417.002 GUI Input Capture

Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them.

Some methods of keylogging include:

  • Masquerading as a legitimate third-party keyboard to record user keystrokes.[1] On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.
  • Abusing accessibility features. On Android, adversaries may abuse accessibility features to record keystrokes by registering an AccessibilityService class, overriding the onAccessibilityEvent method, and listening for the AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED event type. The event object passed into the function will contain the data that the user typed. *Additional methods of keylogging may be possible if root access is available.
ID: T1417.001
Sub-technique of:  T1417
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
MTC ID: AUT-13
Version: 1.1
Created: 05 April 2022
Last Modified: 20 March 2023

Procedure Examples

ID Name Description
S0422 Anubis

Anubis has a keylogger that works in every application installed on the device.[2]

S1079 BOULDSPY

BOULDSPY can capture keystrokes.[3]

S1094 BRATA

BRATA can log device keystrokes.[4][5][6]

S0655 BusyGasper

BusyGasper can collect every user screen tap and compare the input to a hardcoded list of coordinates to translate the input to a character.[7]

S0480 Cerberus

Cerberus can record keystrokes.[8]

S1083 Chameleon

Chameleon can log keystrokes and gather the lock screen password of an infected device by abusing Accessibility Services.[9]

S1054 Drinik

Drinik can use keylogging to steal user banking credentials.[10]

S1092 Escobar

Escobar can collect application keylogs.[11]

S0478 EventBot

EventBot can abuse Android’s accessibility service to record the screen PIN.[12]

S0522 Exobot

Exobot has used web injects to capture users’ credentials.[13]

S0408 FlexiSpy

FlexiSpy can record keystrokes and analyze them for keywords.[14]

S0406 Gustuff

Gustuff abuses accessibility features to intercept all interactions between a user and the device.[15]

S0407 Monokle

Monokle can record the user's keystrokes.[16]

S1062 S.O.V.A.

S.O.V.A. can use keylogging to capture user input.[17]

S1055 SharkBot

SharkBot can use accessibility event logging to steal data in text fields.[18]

G0112 Windshift

Windshift has included keylogging capabilities as part of Operation ROCK.[19]

Mitigations

ID Mitigation Description
M1012 Enterprise Policy

When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.[20]

M1011 User Guidance

Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting Permissions Requests

Application vetting services can look for applications requesting the android.permission.BIND_ACCESSIBILITY_SERVICE permission in a service declaration. On Android, the user can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.

DS0042 User Interface System Settings

On Android, the user can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, the user can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard.

References