Skip to content

T1417 Input Capture

Adversaries may capture user input to obtain credentials or other information from the user through various methods.

Malware may masquerade as a legitimate third-party keyboard to record user keystrokes.1 On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.

On Android, malware may abuse accessibility features to record keystrokes by registering an AccessibilityService class, overriding the onAccessibilityEvent method, and listening for the AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED event type. The event object passed into the function will contain the data that the user typed.

Additional methods of keylogging may be possible if root access is available.

Item Value
ID T1417
Tactics TA0035, TA0031
Platforms Android, iOS
Version 2.1
Created 25 October 2017
Last Modified 24 June 2020

Procedure Examples

ID Name Description
S0422 Anubis Anubis has a keylogger that works in every application installed on the device.6
S0655 BusyGasper BusyGasper can collect every user screen tap and compare the input to a hardcoded list of coordinates to translate the input to a character.10
S0480 Cerberus Cerberus can record keystrokes.8
S0478 EventBot EventBot can abuse Android’s accessibility service to record the screen PIN.7
S0522 Exobot Exobot has used web injects to capture users’ credentials.9
S0408 FlexiSpy FlexiSpy can record keystrokes and analyze them for keywords.3
S0406 Gustuff Gustuff abuses accessibility features to intercept all interactions between a user and the device.4
S0407 Monokle Monokle can record the user’s keystrokes.5
G0112 Windshift Windshift has included keylogging capabilities as part of Operation ROCK.11


ID Mitigation Description
M1005 Application Vetting Applications that attempt to register themselves as a device keyboard or request the android.permission.BIND_ACCESSIBILITY_SERVICE permission in a service declaration should be closely scrutinized during the vetting process.
M1012 Enterprise Policy When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.2
M1011 User Guidance Users should be weary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration and accessibility permissions requests.


Back to top