Skip to content

T1417.001 Keylogging

Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them.

Some methods of keylogging include:

  • Masquerading as a legitimate third-party keyboard to record user keystrokes.1 On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.
  • Abusing accessibility features. On Android, adversaries may abuse accessibility features to record keystrokes by registering an AccessibilityService class, overriding the onAccessibilityEvent method, and listening for the AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED event type. The event object passed into the function will contain the data that the user typed. *Additional methods of keylogging may be possible if root access is available.
Item Value
ID T1417.001
Sub-techniques T1417.001, T1417.002
Tactics TA0035, TA0031
Platforms Android, iOS
Version 1.1
Created 05 April 2022
Last Modified 20 March 2023

Procedure Examples

ID Name Description
S0422 Anubis Anubis has a keylogger that works in every application installed on the device.10
S0655 BusyGasper BusyGasper can collect every user screen tap and compare the input to a hardcoded list of coordinates to translate the input to a character.13
S0480 Cerberus Cerberus can record keystrokes.11
S1054 Drinik Drinik can use keylogging to steal user banking credentials.12
S0478 EventBot EventBot can abuse Android’s accessibility service to record the screen PIN.7
S0522 Exobot Exobot has used web injects to capture users’ credentials.5
S0408 FlexiSpy FlexiSpy can record keystrokes and analyze them for keywords.3
S0406 Gustuff Gustuff abuses accessibility features to intercept all interactions between a user and the device.4
S0407 Monokle Monokle can record the user’s keystrokes.8
S1062 S.O.V.A. S.O.V.A. can use keylogging to capture user input.6
S1055 SharkBot SharkBot can use accessibility event logging to steal data in text fields.9
G0112 Windshift Windshift has included keylogging capabilities as part of Operation ROCK.14

Mitigations

ID Mitigation Description
M1012 Enterprise Policy When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.2
M1011 User Guidance Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.

Detection

ID Data Source Data Component
DS0041 Application Vetting Permissions Requests
DS0042 User Interface System Settings

References

  1. Lenny Zeltser. (2016, July 30). Security of Third-Party Keyboard Apps on Mobile Devices. Retrieved December 21, 2016. 

  2. Samsung. (2019, August 16). 3rd party keyboards must be whitelisted.. Retrieved September 1, 2019. 

  3. FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019. 

  4. Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019. 

  5. Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020. 

  6. ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023. 

  7. D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020. 

  8. Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. 

  9. RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023. 

  10. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020. 

  11. Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020. 

  12. Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023. 

  13. Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021. 

  14. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.