What is a keylogger?

A contraction of “keystroke logger”, a keylogger is either a piece of software or a hardware device that records input from your device’s keyboard. Although not strictly part of the definition, keylogger software can also often record video and/or audio input from your device’s camera and/or microphone and capture data from your clipboard. 

In this article, we look at what keyloggers are, how to detect them, and how to remove them. 

Keylogger definition

A keylogger is any software or hardware device that records your keystrokes when using a computer. Note that “computer” includes mobile devices, as some keylogger software can record your taps and swipes on a touchscreen. 

Software keyloggers are by far the most common, and software keylogging viruses can replicate and infect other devices. 

Hardware keylogging devices might be installed by a manufacturer or government agencies that intercept hardware deliveries(new window). However, the most common type of hardware keylogger is a USB device inserted between a computer’s USB port and its keyboard’s USB connector or dongle (for wireless keyboards). Currently, no known hardware keyloggers can log input from a target mobile device’s touchscreen.

Most modern keyloggers send the information they collect over the internet to whoever developed or configured them, but some keyloggers (especially physical ones) may require manual retrieval. 

Are keyloggers malware?

Keyloggers are often a form of malware used by criminal hackers to gain illicit access to passwords, bank account details, credit card details, and other highly sensitive information. (Hackers also use hardware keyloggers — a good example is attaching a physical keylogger to the USB ports of computers at an internet café). 

In addition to simple criminal activity, keylogger malware is used for police surveillance,  state-sponsored cyber warfare, and corporate espionage. 

However, there are (more) legitimate uses for keyloggers:

  • “Net nanny” software suites often include keylogging capabilities that allow parents to monitor their kids’ online activity and help keep them safe.
  • Companies are increasingly using bossware(new window) surveillance software with keylogging capabilities (together with the ability to take screenshots and even webcam photos) to ensure employees don’t slack off. The use of this kind of software has skyrocketed as more and more people work remotely. 

How does a keylogger infect your system?

Malware keyloggers infect systems in the same way that other types of malware do.  

  • Keylogger viruses(new window) self-replicate and spread from computer to computer across networks.
  • Keylogger Trojans(new window) appear to be legitimate software (or hide inside legitimate software).
  • Rootkits(new window) may contain keylogger capabilities and can be difficult to detect, even with good anti-malware software.

Learn more about malware

Attackers often distribute malware keyloggers via drive-by-downloads(new window) (scripts executed when you visit a malicious website) or phishing (where you are tricked into installing malicious software or clicking a link to a drive-by-download website).

Corporate or state-sponsored hackers and the police often perform highly targeted attacks against individuals via personalized spear-phishing tactics that use social engineering to trick the victim into installing a malware keylogger. This type of hacker is also more likely to physically access a device to plant a physical keylogger or infect it with keylogger malware. 

Learn more about phishing and spear phishing(new window)

More legitimately, it’s perfectly legal for someone to install a keylogger on hardware they own. This includes devices given to children by their parents and laptops supplied to employees. 

Remote employees who use their own equipment are often required to install bossware keyloggers on their hardware as a condition of their contract. 

How to detect a keylogger

Malware keyloggers are by far the most common type of keylogger, so the most effective general defense against keyloggers is to use good antivirus software. 

If you use a public computer to do anything sensitive (for example, at an internet café), it’s always a good idea to quickly check that no strange devices are plugged into its USB ports. If you think you might be singled out for targeted surveillance, you should periodically give your computer a thorough physical examination. 

Other ways to protect yourself against keyloggers

All the usual precautions for protecting yourself against malware apply keyloggers:

  • Use good antivirus software
  • Don’t open emails from unknown sources
  • Don’t click links you’re unsure about
  • Don’t install software from untrusted websites

Using two-factor authentication (2FA)(new window) is always a good idea, but be aware that malware keyloggers can often steal the contents of your device’s clipboard. Even if you enter the 2FA code manually using your keyboard, a hacker might be able to see this and use the code to log in to your account while the code is still active. 

Additional precautions you can take include:

Use DNS filtering

DNS filtering blocks connections to blocklisted domains. This can help protect you against downloading malware keyloggers from domains that are known to be malicious. If you already have a keylogger on your system, DNS filtering can prevent it from sending your stolen keystrokes back to the hacker. 

Proton VPN offers a DNS filtering feature that’s available to anyone on a paid plan. In addition to filtering out malware, our NetShield Ad-blocker can block ads and trackers. 

Learn more about NetShield

Use a password manager

By far the most common use of keyloggers is to steal usernames and passwords. A password manager such as Proton Pass can autofill passwords, so there are no keystrokes or touchscreen taps for the keylogger to record.

Final thoughts

Unless you are a person of particular interest to the police, government agencies, corporate hackers, or otherwise have access to valuable assets that could make you a target for cybercriminals, your primary area of concern should be malware keyloggers that opportunistic criminals randomly distribute.

Your best defenses against picking up such malware are using good anti-malware software and being very careful about phishing, which emails you open, and which links you click. 

Related articles

How to fix a 502 error
en
In this article, we explain what a 502 bad gateway error is and explore possible ways to fix it as a visitor to a website.
Watch Thanksgiving Day football with Proton VPN
en
Here's how you can live stream this year's Thanksgiving football games using Proton VPN, whether you're watching from home or abroad.
Where to watch Macy's Thanksgiving day parade
en
Here's how and where to watch Macy's Thanksgiving Day Parade live from anywhere in the world with Proton VPN.
What we've been up to, and what's next
en
Here are the main things Proton VPN delivered this spring and summer and the exciting changes that lie ahead on our product roadmap this winter.
Proton VPN for Windows ARM
en
We’re pleased to announce a new Proton VPN app with native support for Windows devices that use the ARM chipset.
What is doxing and is doxing illegal
en
  • Privacy basics
We look at what doxing is, who does it (and why), and at how to protect yourself from doxing .