1. Home
  2. Techniques
  3. Mobile
  4. Input Capture
  5. Keylogging

Input Capture: Keylogging

ID Name
T1417.001 Keylogging
T1417.002 GUI Input Capture

Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them.

Some methods of keylogging include:

  • Masquerading as a legitimate third-party keyboard to record user keystrokes.[1] On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.
  • Abusing accessibility features. On Android, adversaries may abuse accessibility features to record keystrokes by registering an AccessibilityService class, overriding the onAccessibilityEvent method, and listening for the AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED event type. The event object passed into the function will contain the data that the user typed.
    *Additional methods of keylogging may be possible if root access is available.
ID: T1417.001
Sub-technique of:  T1417
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
MTC ID: AUT-13
Version: 1.1
Created: 05 April 2022
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0422 Anubis

Anubis has a keylogger that works in every application installed on the device.[2]
S1079 BOULDSPY

BOULDSPY can capture keystrokes.[3]
S1094 BRATA

BRATA can log device keystrokes.[4][5][6]
S0655 BusyGasper

BusyGasper can collect every user screen tap and compare the input to a hardcoded list of coordinates to translate the input to a character.[7]
S0480 Cerberus

Cerberus can record keystrokes.[8]
S1083 Chameleon

Chameleon has logged keystrokes of an infected device.[9] Additionally, Chameleon has stolen PINs, passwords and graphical keys through keylogging functionalities.[10]

S9004 Crocodilus

Crocodilus has the ability to enable or disable keylogging.[11]
S9005 DocSwap

When an accessibility event occurs, DocSwap has used a keylogger to record the target application’s icon, package name, event text, and timestamp.[12][13]

S1054 Drinik

Drinik can use keylogging to steal user banking credentials.[14]
S1092 Escobar

Escobar can collect application keylogs.[15]
S0478 EventBot

EventBot can abuse Android’s accessibility service to record the screen PIN.[16]
S0522 Exobot

Exobot has used web injects to capture users’ credentials.[17]
S0408 FlexiSpy

FlexiSpy can record keystrokes and analyze them for keywords.[18]
S1231 GodFather

GodFather has intercepted and recorded sensitive information from the application to include user credentials. GodFather has also leveraged a deceptive overlay that tricks users into submitting their device lock credentials which are captured.[19]

S0406 Gustuff

Gustuff abuses accessibility features to intercept all interactions between a user and the device.[20]
S0407 Monokle

Monokle can record the user's keystrokes.[21]
S1062 S.O.V.A.

S.O.V.A. can use keylogging to capture user input.[22]
S1055 SharkBot

SharkBot can use accessibility event logging to steal data in text fields.[23]
S9006 VajraSpy

VajraSpy has logged keystrokes of an infected device.[24]

G0112 Windshift

Windshift has included keylogging capabilities as part of Operation ROCK.[25]

Mitigations

ID Mitigation Description
M1012 Enterprise Policy

When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.[26]
M1011 User Guidance

Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0661 Detection of Keylogging AN1751

Defender correlates an app acquiring input-capture capability (AccessibilityService enablement or default IME set) with high-frequency text-change/IME commit callbacks sourced from other packages, followed by local keylog persistence and/or small, immediate network egress. Chain: capability/permission → intercept (accessibility ‘TYPE_VIEW_TEXT_CHANGED’ or IME commitText/onStartInput bursts) → persist to container → near-term egress.
AN1752

Defender correlates a custom keyboard extension activation (optionally with TCC ‘Full Access’) or abnormal UI text-entry interception with local keylog persistence and/or small egress. Chain: capability/consent (keyboard Full Access/TCC) → intercept (keyboard commit events or repeated secure text entry edits) → persist to container → near-term egress.

References

  1. Lenny Zeltser. (2016, July 30). Security of Third-Party Keyboard Apps on Mobile Devices. Retrieved December 21, 2016.
  2. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.
  3. Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.
  4. Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.
  5. Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.
  6. Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.
  7. Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.
  8. Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.
  9. Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.
  10. ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.
  11. ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved November 24, 2025.
  12. EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.
  13. Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.
  1. Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.
  2. B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.
  3. D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.
  4. Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.
  5. FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.
  6. Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.
  7. Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.
  8. Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.
  9. ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.
  10. RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.
  11. Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.
  12. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.
  13. Samsung. (2019, August 16). 3rd party keyboards must be whitelisted.. Retrieved November 17, 2024.