What Is a Keylogger? Definition, Types, and Protection

Every time you type a password, card number, or company login, you expect only the website or app in front of you to see it.

A keylogger breaks that trust. Understanding what a keylogger is, how it works, how it gets onto devices, and how to protect against it is an important part of modern cybersecurity.

Key Takeaways

• Keyloggers are hidden tools that record what you type, which can expose your passwords, card numbers, and other sensitive information.
• They usually reach devices through phishing emails, malicious or pirated software, unsafe websites, fake updates, or, in the case of hardware keyloggers, brief physical access to your computer.
• Detecting keyloggers requires several actions together, such as checking system processes and startup items, reviewing browser extensions, running full security scans, and physically inspecting keyboard cables and adapters.

Keylogger: Definition

A keylogger (keystroke logger) is software or hardware that records what you type on a keyboard or tap on a screen. In most cybersecurity contexts, the term refers to a hidden tool used to watch what a user does and to collect information, often without permission. In 2023, about 73% of cyberattacks used some form of keystroke tracking, such as keyloggers, to watch what people type.

A typical keylogger:

• Runs silently in the background
• Captures keystrokes (sometimes with details of the active window, app, or website)
• Stores this data on the device or sends it to a remote server controlled by an attacker

From these logs, attackers can read passwords, credit card numbers, messages, and other sensitive data that you type into websites or internal systems.

Keyloggers are often part of spyware, which is software that secretly collects information about a user and their device. However, not every keylogger is always illegal. Some are used for parental control or for monitoring company-owned devices. The key difference is whether there is consent, clear communication, and proper handling of the collected data.

The activity of capturing and recording keystrokes is called keylogging. Over time, it can reveal not only login details, but also daily habits, which services a person uses, and how they work.

How Do Keyloggers Work?

The technical details can differ between keyloggers, but most of them follow three basic steps:

1. Inserting into the Input Path

First, the keylogger places itself somewhere between your input (keyboard or screen) and your applications. On desktops and laptops, this can be at the keyboard driver level, inside the operating system, or inside the browser. In these positions, it can see what you type as you type it. On phones and tablets, a keylogger is often built into an app that has broad permissions, which allow it to monitor what you type or to view what appears on the screen.

2. Copying Keystrokes or Taps

Next, the keylogger copies the input as it passes through this path. Some variants record every key you press and create a continuous log of your typing. Others only record when certain programs are active, such as a web browser, a business application, or a banking app, so they focus on information that is more likely to be valuable. Some keyloggers are even more selective and watch specific fields, such as username and password boxes, so they mainly capture important information and ignore less useful text.

3. Storing and Moving the Data

Finally, the captured data is stored and moved. Simple keyloggers save keystrokes in a hidden file on the device. More advanced versions regularly send encrypted logs over the internet to a command and control (C2) server, which is a server controlled by the attacker. Attackers then search these logs for patterns that look like email addresses, card numbers, or passwords. To the user, everything usually appears normal while this is happening, which allows keyloggers to remain on the system for a long time without being noticed.

Types of Keyloggers

Keyloggers are commonly divided into software keyloggers and hardware (physical) keyloggers.

1. Software Keyloggers

Software keyloggers are programs that are installed on a device and quietly record what you type.

Desktops and Laptops

On computers and laptops, software keyloggers often arrive as part of other malware, such as:

• Fake installers
• Cracked or pirated software
• Documents with malicious macros

Once installed, they start when the operating system starts and sit between the keyboard and the applications. This lets them see each key press before the program you are using does. Many also record which window or website is active so attackers can connect captured text to specific login pages, emails, or business systems.

Mobile Devices

On phones and tablets, software keyloggers are often hidden inside “monitoring” or spying apps. They are commonly:

• Installed from outside the official app store
• Delivered through malicious links or fake apps

With broad permissions, these apps may use accessibility features, screen capture, or notification access to watch taps on the on-screen keyboard and to see what appears on the screen. This allows them to reconstruct passwords, messages, and other sensitive information typed on the device.

Other Types of Software Keyloggers

Some software keyloggers do not record each key press separately. Instead, they focus on data inside applications or browsers so they can capture cleaner and more complete information.

Form-grabbing keyloggers: capture web form data when you click “submit”. They read the final values of each field directly from the browser before the information is sent to the website. This gives attackers complete login credentials and payment details, not just raw keystrokes.

JavaScript keyloggers are malicious scripts that run inside web pages. Attackers inject JavaScript into a site they control, into a compromised legitimate site, or through a harmful browser extension. The script watches selected fields, such as username, password, or card number boxes, and silently sends what you type to a remote server.

API-based keyloggers hook into the standard functions (APIs) that programs use to read keyboard input. Whenever an application calls these functions to read keystrokes, the keylogger sees the same data and records it. This method is common in more advanced malware because it works across many applications and gives attackers a wide view of what is typed on the system.

2. Hardware Keyloggers (Physical Keyloggers)

Hardware keyloggers are physical devices that capture keystrokes before they reach the operating system. They are placed between the keyboard and the computer, or built directly into the keyboard or another hardware component.

A basic hardware keylogger looks like a small adapter. It plugs into a USB or PS/2 port, and the keyboard plugs into it. Inside, a small chip records each key press in its own memory while still allowing the keyboard to work normally. Later, the attacker connects to the device or uses a special key sequence to download the stored keystrokes.

More advanced hardware keyloggers can be hidden inside keyboards, laptop cases, docking stations, or USB hubs. Some models include Wi-Fi or Bluetooth so attackers nearby can retrieve logs wirelessly, without needing to touch the device again.

Because hardware keyloggers sit outside the operating system:

• They do not appear as files, drivers, or running processes.
• Standard antivirus tools cannot detect them directly.
• The attacker must have physical access to install them.
• Each device usually affects only the machine it is attached to.

How Keyloggers Get on Your Device

Keyloggers do not appear on a device by accident; they are always delivered in some way.

Email-Based Delivery: Phishing and Spear Phishing

A common method is phishing or spear phishing. The attacker sends an email that appears to come from a bank, delivery service, supplier, or colleague and urges you to open an attachment or run a file that looks like an invoice, report, or update. When you open it, the file runs malware that installs a keylogger, often together with other tools such as remote access trojans.

Malicious and Pirated Downloads

Keyloggers are often bundled with untrusted software. Free tools from suspicious websites, game cheats, and cracked versions of paid applications can all contain hidden keylogger components. The visible program may work as expected, which makes it seem legitimate, while the hidden keylogger runs quietly in the background and collects your data.

Drive-By Downloads from Websites

Drive-by downloads take advantage of weaknesses in browsers and plugins. Simply visiting a compromised or malicious site with outdated software can trigger an automatic download and execution of malware, including keylogging modules. This often happens without clear warnings or prompts, so the user may not realise that anything has been installed. In 2023, about 28% of keylogger infections came from drive-by downloads on unsafe or hacked websites that targeted people using old browsers or plugins.

Fake Updates and Modified Installers

Attackers also use fake update prompts and modified installers. These are designed to look very similar to real software updates or are hosted on websites that imitate trusted brands. When you run them, they install both the legitimate application and the keylogger. Because the expected software appears to work normally, many users do not realise that malicious software was installed at the same time.

Physical Access for Hardware Keyloggers

Hardware keyloggers require physical access to the device. An attacker who can reach the ports on a desktop or laptop for even a short time can plug in a small inline device or replace the keyboard with a modified one that contains logging hardware. Public kiosks, shared office computers, classrooms, and unattended workstations are common targets because small changes to cables or hardware are easy to miss.

Mobile Keylogger Installation

On mobile devices, keyloggers usually arrive through apps and links rather than traditional installers. They may be installed from outside official app stores, delivered through malicious links that trick users into installing fake apps, or hidden inside apps that look legitimate but are given more permissions than they truly need. Once installed, these apps can quietly monitor touches, capture screenshots, read notifications, and sometimes access the microphone or other data sources. This gives attackers several ways to observe sensitive information.

How to Detect a Keylogger

Detecting a keylogger is challenging because it is designed to hide itself, but you can improve your chances by combining system checks with security tools.

Check the operating system (Windows/macOS)

On Windows, open Task Manager and look for unknown or suspicious processes and startup items. In “Apps & features” or “Programs and Features”, remove software you do not recognise or no longer need. On macOS, use Activity Monitor to review running processes and check login items for apps that start automatically. Remove items that are clearly unwanted or confirmed as malicious.

Review browser extensions

Open the extensions or add-ons page in each browser. Remove extensions you do not recognise, no longer use, or that request very broad permissions without a clear reason. This reduces the chance of a browser-based keylogger.

Run a full security scan

Use reputable antivirus or endpoint protection software to run a full system scan. Modern tools use signatures and behaviour-based detection to find many keylogger families. Keep the software updated and ensure real-time protection is enabled.

Inspect for hardware keyloggers

Physically check the path from the computer to the keyboard. Look for unfamiliar adapters or small devices placed in between, including on USB hubs or docking stations. On shared or public computers, treat any unexpected device in the keyboard path as suspicious until you know what it is.

Combine methods for better detection

No single method can guarantee detection. Using system checks, browser reviews, security scans, and physical inspection together gives you a much better chance of finding and removing a keylogger.

How to Protect Yourself from Keylogging

You cannot remove the risk of keyloggers entirely, but you can reduce it a great deal by following computer malware prevention best practices and using suitable security tools.

Protecting Personal Devices

Keep software updated: Regularly update your operating system, web browser, and important applications so that security holes that malware can use are closed.

Install software only from trusted sources: Use official app stores or the software vendor’s website. Avoid cracked software, game cheats, and random “free” versions of paid tools.

Use a password manager: A password manager generates and stores strong, unique passwords and fills them in for you, so you type them less often and do not reuse them.

Enable multi-factor authentication (MFA): Turn on MFA for important accounts such as email, banking, cloud storage, and work tools. Even if an attacker obtains your password, they still need the second factor to log in.

Run reputable security software: Install well-known antivirus or security suites, keep them updated, and make sure real-time protection is turned on so they can block known threats and warn you about suspicious activity.

Using Shared or Public Computers

Avoid entering passwords, card numbers, or other sensitive information on public or shared machines if possible.

Try not to access online banking, your main email, or administrative panels from these devices.

If you must log in, sign out of all accounts and close the browser when you are finished. Later, from a trusted device, change important passwords and watch your accounts for unusual activity.

Measures for Organisations

Train staff about phishing, risky attachments, and unsafe downloads so they understand that a single careless click can install a keylogger.

Standardise security on all company devices with antivirus, firewalls, and regular system and software updates.

Control software and device use by limiting who can install programs or plug in USB devices, and by setting clear policies for personal devices and removable media.

Monitor for suspicious activity by reviewing logs and alerts for unknown programs at startup or tools that try to intercept keyboard input. Early detection makes removal easier and reduces potential damage.

Final Thoughts

Keyloggers are a quiet but effective way for attackers to steal information, because they target what people rely on most: their passwords and everyday typing. Treating your keyboard as a sensitive input, keeping systems and apps updated, and being careful about what you install or click are simple habits that make a real difference. When you also add tools like antivirus, password managers, and multi-factor authentication, you make it much harder for a keylogger to turn a single mistake into a serious breach.

FAQs