Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1751: Analytic 1751

Defender correlates an app acquiring input-capture capability (AccessibilityService enablement or default IME set) with high-frequency text-change/IME commit callbacks sourced from other packages, followed by local keylog persistence and/or small, immediate network egress. Chain: capability/permission → intercept (accessibility ‘TYPE_VIEW_TEXT_CHANGED’ or IME commitText/onStartInput bursts) → persist to container → near-term egress.

MobileAN1751AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about detecting Android apps that gain input-capture capability and then behave like a keylogger: observing text changes or IME input events, storing captured content locally, and/or quickly sending small amounts of data outbound. For leaders, the significance is not just malware detection; it is protection of credentials, messages, business data, and user trust on mobile endpoints where traditional endpoint visibility may be thinner.

Executive priority

Prioritize this as a mobile identity and data-protection concern. If Android devices are used for work, executives should ask whether the organization can see risky AccessibilityService or default keyboard changes, correlate those changes with input-event activity, and investigate near-term local persistence or network egress. This can support incident triage, compliance evidence for mobile monitoring, and decisions about mobile device management and approved app controls.

Technical view

SOC and detection teams should validate whether Android telemetry can correlate the full behavioral chain described by ATT&CK: an app gaining input-capture capability through AccessibilityService enablement or being set as the default IME, followed by high-frequency TYPE_VIEW_TEXT_CHANGED or IME commitText/onStartInput activity sourced from other packages, followed by local keylog-like persistence and/or small immediate network egress. Because no official detection logic is provided, teams should treat this as a detection design requirement rather than an out-of-the-box rule.

Likely telemetry

  • Android AccessibilityService enablement or configuration changes
  • Default input method editor / keyboard selection changes
  • Accessibility event telemetry, especially TYPE_VIEW_TEXT_CHANGED
  • IME callback or input-event telemetry such as commitText and onStartInput bursts
  • Application package identity and source package context

Detection direction

  • Correlate capability acquisition, input interception behavior, and persistence or egress rather than alerting on any single event in isolation.
  • Tune for high-frequency text-change or IME callback bursts, especially when the observing app is not expected to capture input from other packages.
  • Review false positives from legitimate accessibility tools, enterprise keyboards, password managers, assistive technologies, and approved mobile security apps.
  • Validate whether telemetry preserves package identity, timing, and cross-package context; without these, the analytic may be difficult to implement reliably.
  • Because no ATT&CK relationships or tactics are supplied, avoid assuming campaign, malware family, or broader intrusion context from this analytic alone.

Mitigation priorities

  • Establish governance for which Android apps may use AccessibilityService or act as the default IME on managed devices.
  • Use mobile device management or equivalent policy controls to restrict unapproved keyboards and high-risk accessibility permissions where business requirements allow.
  • Maintain an approved-app baseline and investigate deviations involving input-capture capabilities.
  • Ensure mobile incident response playbooks include containment and evidence collection for suspected input capture, local storage of captured data, and near-term network egress.
  • Use collected evidence to support audit and compliance narratives around mobile data protection and privileged permission monitoring.
Analyst notes and limits

The supplied object is a mobile ATT&CK detection analytic for Android, not a technique or intrusion report. Its value is in the correlation pattern: permission or capability change, observable input interception, and persistence or egress. Local environment knowledge is required to distinguish malicious capture from legitimate accessibility and keyboard use.

Official detection content is not provided, tactics are not specified, and no relationship context is supplied. This take does not infer active exploitation, attribution, impact, or guaranteed detectability. Implementation depends on the organization’s Android telemetry depth and mobile management controls.

Official MITRE ATT&CK definition

Analytic 1751

Defender correlates an app acquiring input-capture capability (AccessibilityService enablement or default IME set) with high-frequency text-change/IME commit callbacks sourced from other packages, followed by local keylog persistence and/or small, immediate network egress. Chain: capability/permission → intercept (accessibility ‘TYPE_VIEW_TEXT_CHANGED’ or IME commitText/onStartInput bursts) → persist to container → near-term egress.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
78264409cc70cf4f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 78264409cc70…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1751
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use