SkipToMainContent

Malware

Keyloggers 101: A definition + keystroke logging detection methods

Someone types on their laptop keyboard, possibly being recorded by a keylogger.

December 3, 2021

Think about everything you do on a computer or phone in a given day. You might compose work emails, sign in to
social media, chat with friends, search for information, check your bank account, shop for products — things so ordinary you may not even remember them all. 

Now imagine finding out someone had been hiding behind you, watching every single key you typed. 

Keylogging, also known as keystroke logging, is the act of recording a user’s keyboard interactions and device activity. Though it can be performed legally, it’s also a form of data monitoring that hackers and identity  thieves use to acquire people’s personal information. There may not be anything inherently unethical about a keylogger, but in the hands of a malicious user, a keylogger can cause serious damage. 

Keylogger-based malware has become another dangerous weapon in cyberattackers’ arsenals. It’s important to understand what a keylogger is, how to spot one, how to prevent keylogging malware, and how to secure your personal information.

What is a keylogger?

A keylogger (or keystroke logger) is a type of software or hardware used to track and record what someone types on their keyboard. Keyloggers can be used legally (some people even install them on their own devices), and you may have even used a computer with software installed to log keystrokes for monitoring and ensuring safe or approved use. 

But what keylogging means for everyday users is very different from what it means for cybercriminals. Malicious actors can also use them to capture your personal and financial information, PIN codes and account numbers, credit card numbers, usernames, passwords, and other sensitive data — all of which can be used to commit fraud or identity theft.

How keylogging works

An explanation of keylogging is paired with hands at a computer keyboard being monitored by a keylogger.


Keystroke trackers are readily available, and there may be one installed on the very device you’re using to read this. The software itself isn’t necessarily problematic if you signed an agreement to use the device it’s installed on or if it was packaged in your device’s software suite. What makes these tools problematic are issues of actor intent and victim consent. 

Whether the use is legal or illegal, all keylogging mechanisms work essentially the same way. They record every keyboard interaction a user has, allowing a third party to see a complete log of every email, instant message,  search query, password, username, or other keyed sequences that user types. Keystroke malware comes in a  variety of forms: 

  • Phishing emails: By clicking a link or downloading an attachment in a phishing email, text message, instant  message, or social media post, you could accidentally download malware designed to track keystrokes. 
  • Trojan viruses: Named after the giant wooden horse Greece used to infiltrate Troy during the Trojan War, hackers  trick users into downloading a Trojan virus by disguising it as a legitimate file or application.
  • Zero-day exploit: A zero-day exploit happens when hackers discover latent software security flaws and use them  to deliver malware through tactics like malicious webpage scripts and Trojans. Developers learn of the vulnerabilities too late to protect users. These are particularly dangerous because once the systems are infected, they then become more susceptible to further attacks.
  • Infected systems: Keyloggers can take advantage of an already-infected device or system and install other malicious software into that system. 

Keylogging malware can infect your computer through many of the same mechanisms as other common viruses,  but it can also be intentionally purchased and downloaded. In short, keyloggers can either be tools or weapons,  depending on who is installing them and how they’re using the acquired information.

Types of keyloggers

For the general public, keyloggers are most commonly spread online via phishing scams, Trojan viruses, and fake websites. Hackers’ main goal is to obtain victims’ passwords, personal information, usernames, and banking information, enabling them to make bank transfers, open credit lines, and make purchases. Malicious keylogging mechanisms break down into two broad categories: software and hardware. 

Software-based keyloggers

Many software-based keyloggers have rootkit functionality, meaning they’re able to hide in your system. These Trojan-spy programs can track your activity (including keystrokes and screenshots), save the data to your hard disk, and then forward the information to cybercriminals. Some of them are also able to track everything from information copied to your clipboard to location data and can even tap your microphone and camera. These tools can reach you at a few different levels: 

Kernel level: These are complex and difficult to write, so they aren’t especially common. Once installed, keyloggers affecting your device at the core of its operating system are especially difficult to diagnose and eradicate, as they’ve essentially been handed the “keys” to your device.

  • Application programming interface (API) level: The most common form of keylogger software intercepts signals sent from your keyboard to the program a user is typing into. Think of it like a recording device waiting between your physical keyboard and a program on your computer screen, like a word processor or browser.
  • Screen level: Known as “screen scrapers,” these types of keyloggers take regular screenshots, recording what appears on the user’s screen.
  • Browser level: This is the least complex and least deeply rooted of the four types, but it can still be quite dangerous. This “form-grabbing” ploy records what you type into webforms, which may include everything from Social Security numbers to contact information to login credentials.

Keylogging software is much more common than keylogging hardware because it’s discrete, can be packaged as malware, and is readily available today from online vendors. However, hardware-based keyloggers are still used for a variety of reasons and should not be ignored.

Hardware-based keyloggers

These keystroke loggers have a physical component to their implementation, either in the wiring or hardware of a device or in the setting around it. A common example of a hardware-based keylogger is the keyboard overlay on an ATM. Every time a bank customer presses the buttons on the criminal’s fake keypad — thinking it’s the legitimate ATM keypad — the keylogger records the keystrokes and forwards the information to the cybercriminal. 

These keyloggers can’t be detected by antivirus software because they aren’t installed on the computer, and they use their own internal memory to store and encrypt data. There are several general types of hardware-based keystroke loggers that range in their sophistication: 

  • Keyboard: These keyloggers are installed either in the wiring connecting a keyboard to a computer or directly in the keyboard itself.
  • Physical drive: Keylog Trojans in this category are typically delivered via a USB drive or Mini PCI card.
  • Third-party recording: The least sophisticated form of keylogger attack is an external recording device like a camera, which can be strategically placed to monitor public keypads or computer keyboards.
  • Acoustic: This rarely used method of keystroke monitoring records the almost imperceptibly distinct sounds made when the individual keys of a keyboard are struck. 

While keylogging hardware may not be as common as its software-based counterpart, it can still be highly dangerous and can compromise vital data.

What are keyloggers used for?

Three common legal and illegal keylogger uses appear side by side in two columns.


In some form or another, keyloggers have been in use for decades, harkening back to covert KGB operations in the 1970s. Today, keyloggers are the sixth most common form of enterprise malware, but they are also often packaged within the most common type — a downloader — as part of a suite of Trojan viruses. 

But is a keylogger illegal in and of itself? Not necessarily. Here’s how legal usage breaks down.

Legal keylogging examples

The legal use of keyloggers depends on user consent (depending on local laws), whether they’re used maliciously to steal personal information, who owns the devices they’re installed on, and whether the use victimizes someone in a manner that breaks any other applicable law. Here are a few examples of potentially legal keylogging: 

  • User experience data monitoring
  • Parental control to monitor and protect children’s online activity
  • Recording usage on a personal device owned by the keylogger user
  • Network, software, or hardware troubleshooting
  • Company data exchange and search query monitoring
  • Devise-use monitoring by a company or public entity, such as a library
  • Any legal usage consented to via a user agreement or contract 

Essentially, legal use comes down to local laws, user consent, and no intent to misuse user information.

Illegal keylogging examples

Illegal keylogging gets tricky because sometimes potentially legal usage can straddle the line between unethical and illegal. Generally speaking, the use becomes illegal primarily when it leads to stolen confidential data or when software/hardware is installed on a device owned by someone else, as outlined below: 

  • Account information theft
  • Collection of sensitive information
  • Monitoring when consent was explicitly denied via a legally binding contact
  • Credit card information and PIN collection
  • Installation of software or hardware on someone else’s device
  • Keystroke monitoring of a public device
  • Unlawful stalking or voyeurism 

In general, what makes keylogging illegal is a lack of user consent or the use of keyloggers on someone else’s property, though specific laws on usage can vary by location.

The threats of keyloggers 

Four images accompany four common keylogger threats users face.


Cybercriminals may be able to record and use everything you type. No matter how secure you believe your devices are, a keylogger hack represents a major threat to your cybersecurity because cyberattackers can weaponize some of your common virtual activities without your knowledge. A lot of information can be gathered from what you enter on your devices via your emails, text messages, login credentials, and web browsing. 

As noted above, cybercriminals may use keylogging malware for more overtly dangerous data like bank account numbers, PINs, or Social Security numbers, but they can also steal more personally sensitive content like browsing data, conversations, and even video or audio recordings. After cybercriminals access this information, you could be susceptible to any of these threats: 

  • Financial fraud
  • Identity theft
  • Data ransom
  • Virtual or physical stalking
  • Voyeurism and eavesdropping
  • Credit card, checking, or other financial account lockouts
  • Exposure of sensitive personal information 

This is in no way an exhaustive list of the ways in which keylogging can be used against you. It’s vital to protect your methods of accessing, transferring, and recording your data so you can mitigate these and more keystroke-monitoring threats.

How to prevent keylogging

Six images accompany six ways people can protect their devices from malicious keylogger attacks.


To help protect yourself from keylogger malware, follow general online safety best practices and maintain a healthy sense of skepticism when engaging in any online activity. Malicious keylogger protection is similar to most forms of virus protection, but no solution is foolproof. New malware is being written all the time, but here’s how to prevent keylogging attacks as much as possible by reducing your risk of encountering malware.

Enable two-factor authentication

Two-factor authentication is one of the most effective forms of virus, malware, and keylogger prevention. Also known as 2FA, this solution adds an extra log-in step such as a fingerprint or temporary PIN sent to your phone, helping verify that the person logging into your account is really you. Enable 2FA whenever you can to help ensure that if your information is stolen, cybercriminals can’t sign into your accounts remotely.

Don’t download unknown files

The next best way to protect yourself from malware is to refrain from downloading any unknown files and avoid strange links altogether. Phishing attacks are getting more sophisticated, but be skeptical of anyone—even contacts you know—telling you to download attachments or click links out of the blue.

Consider a virtual keyboard

This solution displays an interactive keyboard on your screen so you don’t have to physically type on an analog one. While a virtual keyboard isn’t an airtight prevention tactic, it does circumvent keylogging hardware and any keylogging software specifically designed to record interactions with your physical keyboard. Some software can still monitor your on-screen interactions, however, so this should be seen as a supplemental tool and not a complete solution.

Use a password manager

Password managers are not only convenient ways to ensure you don’t forget the seemingly endless number of logins we all have to juggle these days — they’re also great keylogger protection. By logging in with a password manager, you don’t display your passwords or physically type them, so keystroke monitors can’t capture them.

Install antivirus software

Look for antivirus software that includes anti-spyware and anti-keylogger protection. As with all forms of viruses, new, more sophisticated keystroke malware is being written all the time, so be sure to keep your software up to date to stay secure.

Consider voice-to-text conversion software

Similar to a virtual keyboard, voice-to-text conversion software can circumvent forms of keylogging that specifically target your physical keyboard.

How to detect and remove keyloggers 

A clipboard with a checkmark appears by five steps people can take to find and remove a keylogger from their device.


Keystroke monitors thrive on stealth, but can a keylogger be detected? While hardware may be relatively easy
to find — a USB drive or extra piece connected to your keyboard wire — software can often go undetected until it’s too late. 

Keylogging malware may show many common virus warning signs, including slower computer performance when browsing or starting programs, abnormal delays in activity, pop-ups, new icons on your desktop or system tray, or excessive hard drive or network activity. If you detect any of these, you may want to follow the steps below to identify and remove keylogging malware.

1. Do a software inventory check

Successful keystroke logger detection starts with taking stock of the programs and processes running on your computer. While many of these may have unfamiliar or even suspicious-looking names, they may blend in with the names of other software.

2. Do a browser extension check

Some keylogging malware is designed specifically to monitor your web usage and may show up as a browser extension. Check your browser menu and navigate to the list of active extensions. If there are any you don’t recognize or never downloaded, deactivate and remove them.

3. Remove keyloggers

Keyloggers can be removed in much the same way you would remove other forms of malware. You should always exercise extreme caution when handling computer programs. Even if a program seems suspicious, it could be a necessary tool, and disabling it could cause problems. Once you’ve identified a program you’re 100% certain is a keylogger, disable, uninstall, and/or delete it from your device.

4. What to do if you don’t find a keylogger

If you fail to identify any malicious keyloggers but still want to make absolutely certain your device is free of malware, you could reinstall your device’s operating system or perform a factory reset, which will effectively wipe all the data and programs from your device that were installed beyond the factory defaults. 

In a perfect world, you’ll never need to know what keylogging is. But the reality is that today, there are many
malicious cyberattackers out there trying to trick as many people as possible into downloading malware like a keylogger. It’s vital to practice safe internet use and protect your sensitive information.

Keylogger FAQs

Below are answers to some of the most commonly asked questions regarding keyloggers.

What is a keylogger?

A keylogger is software or hardware designed for monitoring and recording a user’s interactions with their keyboard and the associated device.

What does a keylogger do?

A keylogger surveils what someone types on their keyboard, recording their interactions with browsers, word processors, webforms, and other text-based media.

What are keyloggers used for?

Keyloggers are used to monitor how a user interacts with their keyboard as a means of recording their behavior, usage, or personal information.

Is a keylogger illegal?

While keylogging tools are not illegal in and of themselves, they are often used in an illegal manner by cyberattackers, identity thieves, or other malicious users to surreptitiously steal information or track activity without user consent.

What is the history of keyloggers?

Early cases of keylogging in the 1970s involved government surveillance of electronic typing machines. Today,
keystroke monitoring software is widely available for commercial and personal use.

Do mobile devices get keyloggers?

Mobile devices can be monitored using keylogging applications. Some of these programs may be able to monitor
screen interactions, downloads, location data, and even conversations.

Can a keylogger be detected?

Keyloggers may be difficult to detect, but they are identifiable. The most common way to detect a keylogger is
by searching a device’s software, applications, and background processes.

How can I tell if I have a keylogger infection?

If your device has been infected by keylogger malware, you may notice system lag, noticeable overheating, or the
presence of unfamiliar software, system processes, or browser extensions.

How can I protect myself from keyloggers?

One of the best ways to protect yourself from keyloggers is to refrain from downloading files or clicking links from suspicious emails, messages, or contacts. Enabling two-factor authentication is also helpful in preventing identity theft that may result from malicious keylogging.

How can I remove keyloggers?

If you detect a strange program that may be a keylogger in your browser extensions, system processes, or software list, remove it immediately. Browser extensions can be easily removed from your list of extensions, and device applications can be deleted, moved to the trash, or uninstalled.

Cyber threats have evolved, and so have we.

Norton 360™ with LifeLock™, all-in-one, comprehensive protection against viruses, malware, identity theft, online tracking and much, much more.

Try Norton 360 with Lifelock.


Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Copyright © 2022 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of Amazon.com, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.