Input Capture

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Keylogging) or rely on deceiving the user into providing input into what they believe to be a genuine application prompt (e.g. GUI Input Capture).

ID: T1417
Sub-techniques:  T1417.001, T1417.002
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
MTC ID: APP-31, AUT-13
Version: 2.3
Created: 25 October 2017
Last Modified: 20 March 2023

Mitigations

ID Mitigation Description
M1012 Enterprise Policy

When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.[1] An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to set an explicit list of applications that are allowed to use Android's accessibility features.

M1006 Use Recent OS Version

The HIDE_OVERLAY_WINDOWS permission was introduced in Android 12 allowing apps to hide overlay windows of type TYPE_APPLICATION_OVERLAY drawn by other apps with the SYSTEM_ALERT_WINDOW permission, preventing other applications from creating overlay windows on top of the current application.[2]

M1011 User Guidance

Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting Permissions Requests

Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay.

DS0042 User Interface System Settings

The user can view and manage installed third-party keyboards.

References