The sub-techniques beta is now live! Read the release blog post for more info.

Input Capture

Adversaries may capture user input to obtain credentials or other information from the user through various methods.

Malware may masquerade as a legitimate third-party keyboard to record user keystrokes.[1] On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.

On Android, malware may abuse accessibility features to record keystrokes by registering an AccessibilityService class, overriding the onAccessibilityEvent method, and listening for the AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED event type. The event object passed into the function will contain the data that the user typed.

Additional methods of keylogging may be possible if root access is available.

ID: T1417
Tactic Type: Post-Adversary Device Access
Tactic: Collection, Credential Access
Platform: Android, iOS
Version: 2.0
Created: 25 October 2017
Last Modified: 10 October 2019

Procedure Examples

Name Description
FlexiSpy

FlexiSpy can record keystrokes and analyze them for keywords.[3]

Gustuff

Gustuff abuses accessibility features to intercept all interactions between a user and the device.[4]

Monokle

Monokle can record the user's keystrokes.[5]

Mitigations

Mitigation Description
Application Vetting

Applications that attempt to register themselves as a device keyboard or request the android.permission.BIND_ACCESSIBILITY_SERVICE permission in a service declaration should be closely scrutinized during the vetting process.

Enterprise Policy

When using Samsung Knox, third-party keyboards must be whitelisted in order to be available to the end-user.[2]

User Guidance

Users should be weary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration and accessibility permissions requests.

Detection

On Android, users can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, users can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. On Android, users can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.

References