T1417 Input Capture
Adversaries may capture user input to obtain credentials or other information from the user through various methods.
Malware may masquerade as a legitimate third-party keyboard to record user keystrokes.1 On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.
On Android, malware may abuse accessibility features to record keystrokes by registering an AccessibilityService class, overriding the onAccessibilityEvent method, and listening for the AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED event type. The event object passed into the function will contain the data that the user typed.
Additional methods of keylogging may be possible if root access is available.
| Item | Value |
|---|---|
| ID | T1417 |
| Sub-techniques | |
| Tactics | TA0035, TA0031 |
| Platforms | Android, iOS |
| Version | 2.1 |
| Created | 25 October 2017 |
| Last Modified | 24 June 2020 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0422 | Anubis | Anubis has a keylogger that works in every application installed on the device.6 |
| S0655 | BusyGasper | BusyGasper can collect every user screen tap and compare the input to a hardcoded list of coordinates to translate the input to a character.10 |
| S0480 | Cerberus | Cerberus can record keystrokes.8 |
| S0478 | EventBot | EventBot can abuse Android’s accessibility service to record the screen PIN.7 |
| S0522 | Exobot | Exobot has used web injects to capture users’ credentials.9 |
| S0408 | FlexiSpy | FlexiSpy can record keystrokes and analyze them for keywords.3 |
| S0406 | Gustuff | Gustuff abuses accessibility features to intercept all interactions between a user and the device.4 |
| S0407 | Monokle | Monokle can record the user’s keystrokes.5 |
| G0112 | Windshift | Windshift has included keylogging capabilities as part of Operation ROCK.11 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1005 | Application Vetting | Applications that attempt to register themselves as a device keyboard or request the android.permission.BIND_ACCESSIBILITY_SERVICE permission in a service declaration should be closely scrutinized during the vetting process. |
| M1012 | Enterprise Policy | When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.2 |
| M1011 | User Guidance | Users should be weary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration and accessibility permissions requests. |
References
-
Lenny Zeltser. (2016, July 30). Security of Third-Party Keyboard Apps on Mobile Devices. Retrieved December 21, 2016. ↩
-
Samsung. (2019, August 16). 3rd party keyboards must be whitelisted.. Retrieved September 1, 2019. ↩
-
FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019. ↩
-
Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019. ↩
-
Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. ↩
-
M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020. ↩
-
D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020. ↩
-
Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020. ↩
-
Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020. ↩
-
Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021. ↩
-
The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021. ↩