1. Home
  2. Techniques
  3. Mobile
  4. Input Capture

Input Capture

ID Name
T1417.001 Keylogging
T1417.002 GUI Input Capture

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Keylogging) or rely on deceiving the user into providing input into what they believe to be a genuine application prompt (e.g. GUI Input Capture).

ID: T1417
Sub-techniques:  T1417.001, T1417.002
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
MTC ID: APP-31, AUT-13
Version: 2.3
Created: 25 October 2017
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1225 CherryBlos

CherryBlos has captured victims' credentials through predefined fake activities.[1]

S1231 GodFather

GodFather has the captured information about the device's screen to include detailed tap events.[2]
S1126 Phenakite

Phenakite has used phishing sites for iCloud and Facebook if either of those were used for authentication during the chat sign up process.[3]

Mitigations

ID Mitigation Description
M1012 Enterprise Policy

When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.[4] An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to set an explicit list of applications that are allowed to use Android's accessibility features.

M1006 Use Recent OS Version

The HIDE_OVERLAY_WINDOWS permission was introduced in Android 12 allowing apps to hide overlay windows of type TYPE_APPLICATION_OVERLAY drawn by other apps with the SYSTEM_ALERT_WINDOW permission, preventing other applications from creating overlay windows on top of the current application.[5]
M1011 User Guidance

Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0705 Detection of Input Capture AN1825

The user can view and manage installed third-party keyboards.
Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay.
AN1826

The user can view and manage installed third-party keyboards.
Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay.

References

  1. Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.
  2. Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.
  3. Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.
  1. Samsung. (2019, August 16). 3rd party keyboards must be whitelisted.. Retrieved November 17, 2024.
  2. Google. (2022, April 4). Features and APIs Overview. Retrieved April 5, 2022.