Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)
Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them.
Some methods of keylogging include:
- Masquerading as a legitimate third-party keyboard to record user keystrokes.(Citation: Zeltser-Keyboard) On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.
- Abusing accessibility features. On Android, adversaries may abuse accessibility features to record keystrokes by registering an
AccessibilityServiceclass, overriding theonAccessibilityEventmethod, and listening for theAccessibilityEvent.TYPE_VIEW_TEXT_CHANGEDevent type. The event object passed into the function will contain the data that the user typed. *Additional methods of keylogging may be possible if root access is available.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47) | Attack Pattern | Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad) | Attack Pattern | 1 |