Skip to content

DET0661 Detection of Keylogging

Item Value
ID DET0661
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1417.001 (Keylogging)

Analytics

Android

AN1751

Application vetting services can look for applications requesting the android.permission.BIND_ACCESSIBILITY_SERVICE permission in a service declaration. On Android, the user can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions. On Android, the user can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, the user can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard.

Log Sources
Data Component Name Channel
Permissions Requests (DC0114) Application Vetting None
System Settings (DC0118) User Interface None
Mutable Elements
Field Description

iOS

AN1752

Application vetting services can look for applications requesting the android.permission.BIND_ACCESSIBILITY_SERVICE permission in a service declaration. On Android, the user can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions. On Android, the user can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, the user can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard.

Log Sources
Data Component Name Channel
Permissions Requests (DC0114) Application Vetting None
System Settings (DC0118) User Interface None
Mutable Elements
Field Description