AN1826: Analytic 1826
Defender observes an app enabling or using input-capture surfaces (custom keyboard extension with Full Access, abnormal UI text entry interception, pasteboard polling adjacent to login screens), then persisting and/or exfiltrating captured input. Chain: capability/consent (TCC for keyboard Full Access or input privacy domains) → intercept behavior (keyboard extension active, repeated text field ‘editingChanged’/secure entry focus, background pasteboard reads) → local write → near-term egress.
Analyst context for executives and security teams
This analytic matters because it focuses on iOS apps that may capture sensitive user input before it reaches its intended destination, such as through a custom keyboard with Full Access, suspicious text-entry interception, or pasteboard polling near login screens. For leaders, the practical issue is not just mobile malware detection; it is whether the organization can prove that managed iOS devices, high-risk users, and mobile app environments are monitored well enough to identify credential or data capture patterns before they become an incident-response blind spot.
Executive priority
Prioritize this where iOS is used for privileged access, executive communications, customer workflows, or regulated data entry. The key business question is whether mobile security, identity, and SOC processes can connect app permissions or consent, input-interception behavior, local storage of captured content, and near-term network egress into one reviewable chain. Because ATT&CK provides no tactic or official detection text for this analytic, it should be treated as a coverage-validation prompt rather than a ready-made detection rule.
Technical view
For SOC, mobile security, and IR teams, validate whether telemetry can show the chain described by MITRE: an iOS app enabling or using input-capture surfaces, signs of interception such as keyboard extension activity or abnormal text-field handling, background pasteboard reads near login activity, local writes, and near-term egress. Detection engineering should avoid treating any single signal as conclusive; custom keyboards, pasteboard access, and local writes may be legitimate depending on the app and user workflow. The higher-value analytic is correlation across permission/capability state, suspicious input-adjacent behavior, persistence to local storage, and outbound communication shortly afterward.
Likely telemetry
- iOS app inventory and installed keyboard extension visibility
- Custom keyboard Full Access or related consent/capability state where available
- Mobile application behavior telemetry showing keyboard extension activity or abnormal text-entry interception indicators
- Pasteboard access/read events, especially background reads adjacent to login or credential-entry workflows where observable
- Local file or app storage write activity following input-capture behavior
Detection direction
- Validate that mobile telemetry can correlate capability or consent, intercept behavior, local write, and near-term egress instead of alerting on isolated events only.
- Tune for context around login screens or credential-entry workflows, because pasteboard polling or text-entry activity is more material when adjacent to sensitive input.
- Account for false positives from legitimate custom keyboards, password managers, enterprise apps, accessibility-related workflows, or apps with expected clipboard features.
- Review whether iOS privacy and platform constraints limit visibility into text-field events, pasteboard access, or app-local storage; document these as coverage gaps rather than assuming detection exists.
- Because no ATT&CK relationships or official detection logic were supplied, map this analytic to local mobile controls and test data sources before operationalizing alerts.
Mitigation priorities
- Establish policy and review processes for custom keyboards and apps requesting broad input-related access on managed iOS devices.
- Use mobile device/application management to restrict or review high-risk apps and keyboard extensions where business justification is weak.
- Prioritize monitoring for privileged users and workflows involving credentials, regulated data, or critical operations performed on iOS.
- Ensure incident response playbooks include mobile app permission review, app inventory, network activity review, and preservation of available mobile telemetry.
- Use compliance evidence to show whether the organization can govern mobile app permissions and investigate suspected input capture, while noting platform visibility limitations.
Analyst notes and limits
This object is a mobile ATT&CK detection analytic for iOS, external ID AN1826, tied to MITRE detection strategy DET0705. The useful defensive concept is correlation: input-capture capability or consent, observed interception behavior, local persistence, and near-term egress. No relationship context was supplied, so no related techniques, software, groups, or mitigations are inferred.
The supplied ATT&CK fields do not include an official detection section, tactics, relationships, aliases, or labels. Visibility into iOS app internals, pasteboard behavior, keyboard extension behavior, and local storage may vary significantly by device management model, security tooling, OS version, and privacy constraints. Local telemetry validation is required before claiming coverage.
Analytic 1826
Defender observes an app enabling or using input-capture surfaces (custom keyboard extension with Full Access, abnormal UI text entry interception, pasteboard polling adjacent to login screens), then persisting and/or exfiltrating captured input. Chain: capability/consent (TCC for keyboard Full Access or input privacy domains) → intercept behavior (keyboard extension active, repeated text field ‘editingChanged’/secure entry focus, background pasteboard reads) → local write → near-term egress.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | b10d1b1cca90… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1826Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.