Defender correlates an app acquiring input-capture capability (AccessibilityService enablement or default IME set) with high-frequency text-change/IME commit callbacks sourced from other packages, followed by local keylog persistence and/or small, immediate network egress. Chain: capability/permission → intercept (accessibility ‘TYPE_VIEW_TEXT_CHANGED’ or IME commitText/onStartInput bursts) → persist to container → near-term egress.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | android:logcat | Grant/enablement for BIND_ACCESSIBILITY_SERVICE or BIND_INPUT_METHOD for |
| OS API Execution (DC0021) | android:logcat | AccessibilityService connected|TYPE_VIEW_TEXT_CHANGED|TYPE_VIEW_FOCUSED events for other packages |
| Application Log Content (DC0038) | android:logcat | Default IME active imeId= |
| File Creation (DC0039) | android:logcat | CREATE/WRITE to /data/data/ |
| Field | Description |
|---|---|
| TimeWindowSeconds | Max time between intercept → persist/exfil (e.g., 5–45s). |
| MinKeyEventBurst | Minimum input events in window to flag (e.g., ≥10). |
| RequireA11yOrIME | Only alert when capability is via Accessibility or IME (true/false). |
| PersistPathRegex | Regex for keylog artifacts in app container. |
| ExfilDomainAllowlist | Enterprise/analytics endpoints to suppress FPs. |
| UserContext | Foreground/Work Profile/Kiosk to scope alerts. |
Defender correlates a custom keyboard extension activation (optionally with TCC ‘Full Access’) or abnormal UI text-entry interception with local keylog persistence and/or small egress. Chain: capability/consent (keyboard Full Access/TCC) → intercept (keyboard commit events or repeated secure text entry edits) → persist to container → near-term egress.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | iOS:unifiedlog | Keyboard extension Full Access change or related privacy grant for |
| Application Log Content (DC0038) | iOS:unifiedlog | Secure text entry focus and editingChanged bursts not typical for the app |
| File Creation (DC0039) | iOS:unifiedlog | CREATE/WRITE of keylog artifacts (keys_*.txt, inputs.db) within app/keyboard container |
| Field | Description |
|---|---|
| TimeWindowSeconds | Max time from intercept → persist/exfil (e.g., 5–60s). |
| MinKeyEventBurst | Minimum keyboard commit or editingChanged events (e.g., ≥10). |
| KeyboardFullAccessRequired | Require Full Access to elevate severity (true/false). |
| PersistPathRegex | Regex for keylog artifacts under container paths. |
| ExfilDomainAllowlist | Allowlisted enterprise/analytics endpoints. |
| UserContext | Foreground state, Focus modes, MDM policy. |