Malicious Third Party Keyboard App

A malicious app can register as a device keyboard and intercept keypresses containing sensitive values such as usernames and passwords[1].

Both iOS and Android require the user to explicitly authorize use of third party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.

ID: T1417

Tactic Type:  Post-Adversary Device Access

Tactic: Collection, Credential Access

Platform:  Android, iOS

Version: 1.1

Mitigations

MitigationDescription
Application VettingIt is rare for apps to register themselves as a device keyboard. Apps that do so should be closely scrutinized during the vetting process.
User GuidanceBoth iOS and Android require the user to explicitly authorize use of third party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.

References