Defender observes an app gaining input-observation capability (AccessibilityService enablement, default IME set, draw-over-apps permission), then creating an intercept surface (overlay window, accessibility event stream consumption or IME keystroke callbacks), followed by persistence (local keylog/clipboard dump) and/or small, frequent network egress. Chain: capability/permission → listener/overlay activation → bursty input read events → local write → near-term exfil.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | android:logcat | Grant/activation of BIND_ACCESSIBILITY_SERVICE, BIND_INPUT_METHOD, SYSTEM_ALERT_WINDOW, POST_NOTIFICATIONS for |
| OS API Execution (DC0021) | android:logcat | AccessibilityService connected|TYPE_VIEW_TEXT_CHANGED|TYPE_VIEW_FOCUSED events for other packages |
| Application Log Content (DC0038) | android:logcat | Default IME changed/active: imeId= |
| File Creation (DC0039) | android:logcat | CREATE/WRITE paths like /data/data/ |
| Field | Description |
|---|---|
| TimeWindowSeconds | Max time from input intercept to persist/exfil (e.g., 5–45s). |
| MinInputEventBurst | Minimum count of input events within window to flag harvesting (e.g., ≥5). |
| OverlayRequired | Require overlay creation if Accessibility not present (true/false). |
| PersistPathRegex | Regex for keylog/clipboard dump destinations in app container. |
| ExfilDomainAllowlist | Known-good analytics/CDN endpoints to suppress FPs. |
| UserContext | Foreground/background/Work Profile or Kiosk policy to scope alerts. |
Defender observes an app enabling or using input-capture surfaces (custom keyboard extension with Full Access, abnormal UI text entry interception, pasteboard polling adjacent to login screens), then persisting and/or exfiltrating captured input. Chain: capability/consent (TCC for keyboard Full Access or input privacy domains) → intercept behavior (keyboard extension active, repeated text field ‘editingChanged’/secure entry focus, background pasteboard reads) → local write → near-term egress.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | iOS:unifiedlog | Keyboard extension Full Access change; privacy grant touching input/keyboard categories for |
| Application Log Content (DC0038) | iOS:unifiedlog | UIWindow/UIView events indicating secure text entry focus, editingChanged bursts, unexpected firstResponder cycling |
| File Creation (DC0039) | iOS:unifiedlog | CREATE/WRITE clipboard/keylog artifacts (clipboard.db, keys_*.txt) in container |
| Field | Description |
|---|---|
| TimeWindowSeconds | Max time from intercept to persist/exfil (e.g., 5–60s). |
| MinKeyEventBurst | Minimum key/commit or editingChanged count to flag harvesting (e.g., ≥10). |
| KeyboardFullAccessRequired | Require keyboard Full Access to escalate severity (true/false). |
| PersistPathRegex | Regex for keylog/clipboard dump files. |
| ExfilDomainAllowlist | Known-good enterprise/analytics endpoints. |
| UserContext | Foreground state, Focus modes, MDM policy. |