T1417.001 Keylogging
Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them.
Some methods of keylogging include:
- Masquerading as a legitimate third-party keyboard to record user keystrokes.1 On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.
- Abusing accessibility features. On Android, adversaries may abuse accessibility features to record keystrokes by registering an
AccessibilityService
class, overriding theonAccessibilityEvent
method, and listening for theAccessibilityEvent.TYPE_VIEW_TEXT_CHANGED
event type. The event object passed into the function will contain the data that the user typed. *Additional methods of keylogging may be possible if root access is available.
Item | Value |
---|---|
ID | T1417.001 |
Sub-techniques | T1417.001, T1417.002 |
Tactics | TA0035, TA0031 |
Platforms | Android, iOS |
Version | 1.1 |
Created | 05 April 2022 |
Last Modified | 20 March 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0422 | Anubis | Anubis has a keylogger that works in every application installed on the device.10 |
S0655 | BusyGasper | BusyGasper can collect every user screen tap and compare the input to a hardcoded list of coordinates to translate the input to a character.13 |
S0480 | Cerberus | Cerberus can record keystrokes.11 |
S1054 | Drinik | Drinik can use keylogging to steal user banking credentials.12 |
S0478 | EventBot | EventBot can abuse Android’s accessibility service to record the screen PIN.7 |
S0522 | Exobot | Exobot has used web injects to capture users’ credentials.5 |
S0408 | FlexiSpy | FlexiSpy can record keystrokes and analyze them for keywords.3 |
S0406 | Gustuff | Gustuff abuses accessibility features to intercept all interactions between a user and the device.4 |
S0407 | Monokle | Monokle can record the user’s keystrokes.8 |
S1062 | S.O.V.A. | S.O.V.A. can use keylogging to capture user input.6 |
S1055 | SharkBot | SharkBot can use accessibility event logging to steal data in text fields.9 |
G0112 | Windshift | Windshift has included keylogging capabilities as part of Operation ROCK.14 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1012 | Enterprise Policy | When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.2 |
M1011 | User Guidance | Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0041 | Application Vetting | Permissions Requests |
DS0042 | User Interface | System Settings |
References
-
Lenny Zeltser. (2016, July 30). Security of Third-Party Keyboard Apps on Mobile Devices. Retrieved December 21, 2016. ↩
-
Samsung. (2019, August 16). 3rd party keyboards must be whitelisted.. Retrieved September 1, 2019. ↩
-
FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019. ↩
-
Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019. ↩
-
Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020. ↩
-
ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023. ↩
-
D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020. ↩
-
Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. ↩
-
RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023. ↩
-
M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020. ↩
-
Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020. ↩
-
Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023. ↩
-
Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021. ↩
-
The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021. ↩