T1417 Input Capture
Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Keylogging) or rely on deceiving the user into providing input into what they believe to be a genuine application prompt (e.g. GUI Input Capture).
| Item | Value |
|---|---|
| ID | T1417 |
| Sub-techniques | T1417.001, T1417.002 |
| Tactics | TA0035, TA0031 |
| Platforms | Android, iOS |
| Version | 2.3 |
| Created | 25 October 2017 |
| Last Modified | 24 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1225 | CherryBlos | CherryBlos has captured victims’ credentials through predefined fake activities.3 |
| S1231 | GodFather | GodFather has the captured information about the device’s screen to include detailed tap events.5 |
| S1126 | Phenakite | Phenakite has used phishing sites for iCloud and Facebook if either of those were used for authentication during the chat sign up process.4 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1012 | Enterprise Policy | When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.1 An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to set an explicit list of applications that are allowed to use Android’s accessibility features. |
| M1006 | Use Recent OS Version | The HIDE_OVERLAY_WINDOWS permission was introduced in Android 12 allowing apps to hide overlay windows of type TYPE_APPLICATION_OVERLAY drawn by other apps with the SYSTEM_ALERT_WINDOW permission, preventing other applications from creating overlay windows on top of the current application.2 |
| M1011 | User Guidance | Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access. |
References
-
Samsung. (2019, August 16). 3rd party keyboards must be whitelisted.. Retrieved November 17, 2024. ↩
-
Google. (2022, April 4). Features and APIs Overview. Retrieved April 5, 2022. ↩
-
Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025. ↩
-
Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024. ↩
-
Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025. ↩