Although macOS has a reputation for being an extremely private and secure operating system, it's not immune from keylogging software. In fact, there are numerous keyloggers that can easily run on your Mac, steal personal data, and put your privacy at serious risk. Read on to learn how to detect and remove keyloggers on Mac.
What can a keylogger do to your Mac?
Keyloggers are highly-invasive spyware capable of recording keystrokes from a Mac keyboard. That allows cybercriminals and other bad actors to access sensitive information such as usernames and passwords, credit card info, confidential notes, etc. Some keyloggers even take screenshots and monitor web browsing and other app-related activities, further endangering user privacy.
Malicious keyloggers often piggyback through legitimate or potentially unwanted programs (or PUPs) installed on a Mac. Or, they could be components of system-wide malware infections.
That said, keylogging software can also be commercially bought. While these are generally marketed to parents, schools, and employers, anyone can use them to spy on others. Perfect Keylogger, Hoverwatch, and Aobo are examples of popular off-the-shelf keyloggers.
Commercial keyloggers collect and store whatever they record locally on the Mac or upload the data to an online server for remote access (similar to their malicious counterparts). However, this is only an issue if someone else knows your user account password or has administrative access to your Mac.
Before you start
If you worry that your Mac is under malicious attack, download MacKeeper. It's an Apple-notarized all-in-one Mac maintenance utility capable of removing viruses and dangerous spyware from your Mac.
How to detect and remove keyloggers on Mac
Detecting and removing a keystroke logger from your Mac can be exhausting and challenging. Most keylogging software features nondescript names and processes that make identification difficult. Also, they run covertly without showing up on the Dock and don't impact system performance (unless part of a larger malware attack).
However, if you were subject to a recent account breach, identity theft scam, or extortion attempt, then the chances are you may have a keylogger on your Mac. Keylogger detection and removal on a Mac involves scanning your Mac for malware, scrutinizing your privacy and security permissions, and inspecting a list of running processes on your Mac.
Run a scan for malware
The best way to detect and remove a malicious keylogger from your Mac is to perform a thorough check for malware. Here's how to use MacKeeper to scan for malware on a Mac.
Note: Commercial keylogging software can slip through an anti-malware scanner since they often have administrative permissions to run on your Mac.
- Download and install MacKeeper
- Switch to the Antivirus tab and select Launch Antivirus
- Select Start Scan
Wait until MacKeeper scans macOS for malware. Then, quarantine or remove any malicious items that it detects. It's also a good idea to switch to the Adware Cleaner tab and delete any PUPs and adware from your Mac.
Check your Mac's privacy and security settings
If an anti-malware scan doesn't help, check your Mac's privacy and security settings next. That gives you the opportunity to detect and revoke permissions that keyloggers (primarily those of the off-the-shelf variety) require to run on your Mac.
- Open the Apple menu and select System Preferences
- Select the Security & Privacy category
- Switch to the Privacy tab
- Shift through the tabs on the left sidebar — Full Disk Access, Screen Recording, Accessibility, etc
- If you notice anything unusual, select the Lock icon and disable it
Check your Mac's list of login items
Keyloggers typically load alongside the operating system as you turn on your Mac. Check your user account's Login Items list and remove anything suspicious.
- Open the System Preferences app and select Users & Groups
- Select your account and switch to the Login Items tab
- Highlight an item and select the Minus icon to remove it
Some keyloggers run at Mac startup as launch agents and daemons. To remove the relevant property list (PLIST) files:
1. Control-click the Finder icon on the Dock and select Go to Folder
2. Visit the following locations:
3. Locate and remove any PLIST files with unusual file names.
Alternatively, use the Login Items feature in MacKeeper to get rid of unwanted startup items from your Mac.
Review a list of running processes on your Mac
Next, check the Activity Monitor on your Mac for possible keylogger activity.
1. Open the Launchpad and select Other > Activity Monitor
2. Review your Mac's list of running processes. Due to the sheer number of background processes, you may have to spend considerable time vetting suspicious items through a search engine like Google
Note: Some keyloggers may mirror system processes to stay hidden. E.g., the commercial keylogger "Hoverwatch" runs as sysmond, which has a name similar to another legitimate process. Pay extra attention to duplicate processes.
3. If you notice a suspicious process, double-click it and switch to the Open Files and Ports tab
4. Note the file path at the top of the description area and select Quit to shut down the process
5. Open a Go to Folder box and visit the directory you noted in the previous step. Then, delete all files and folders related to the process inside
Check the Library and Applications folders for suspicious items
Visit the Library folder on your Mac and delete any unusual folders inside it. To get to it, open a Go to Folder box, type /Library, and press Enter.
Also, check all subfolders within the directory — e.g., Application Support — for suspicious items. Don't forget to press Shift + Command + Period (.) to reveal hidden files and folders.
Most keyloggers don't live inside your Mac's Applications folder, but it won't hurt to check. Open a new Finder window, select Applications on the sidebar, and delete any suspicious or unknown programs you find. However, dragging and dropping a program into the Trash won't suffice. Learn how to delete an app and its hidden files from your Mac.
Erase and reinstall macOS on your Mac
If you have trouble detecting a keystroke logger on your Mac or want to ensure no traces are left, your only remaining option is to erase and reinstall macOS. Make sure to back up your Mac before you go ahead.
If you use macOS Monterey or later, you can factory reset your Mac via the System Preferences app. To do that:
- Open the System Preferences app
- Select System Preferences > Erase All Content and Settings on the menu bar
- Work through the onscreen instructions to factory reset your Mac
In macOS Big Sur and older versions of macOS, you must erase and reinstall the operating system via macOS Recovery.
How to protect your Mac against keylogging software
After removing a keylogger from your Mac, here are several ways to safeguard yourself against spyware going forward.
Use an anti-malware scanner
Set up an anti-malware scanner to act as a gatekeeper against PUPs, adware, and other malicious programs. Download MacKeeper for comprehensive, around-the-clock protection.
Keep your Mac up-to-date
Always keep your Mac up-to-date. That minimizes a keylogger's chances of exploiting security loopholes to run on your Mac. To update your Mac:
- Open the System Preferences app
- Select Software Update
- Select Update Now
Also, consider setting up automatic updates on your Mac by checking the box next to Automatically keep my Mac up to date.
Install programs from trustworthy sources only
Install programs from trustworthy download sources — such as the Mac's built-in App Store — can significantly reduce the chances of infecting your Mac with a keylogger.
Install a content blocker or ad blocker
Malicious keyloggers trick users into installing them while browsing online. Use a strong content blocker to safeguard yourself against websites that display malicious ads and other forms of manipulative content. MacKeeper comes with a StopAd module that blocks advertisements in Safari.
Stop administrative access to other users
Use a strong password to protect your Mac user account from unauthorized access. If you share your Mac desktop or laptop with others, consider setting up standard accounts with limited privileges.
To update your Mac's password or create accounts with non-administrative privileges:
- Open the System Preferences app
- Select Users & Groups
- Select Change Password next to your user account to update the password or the Plus icon to create new standard accounts. While you're at it, you can also choose to delete any other accounts with administrative access from your Mac
Alternatively, you can allow guest logging to let people log into your Mac temporarily with limited privileges. To do that, select Guest User and check the box next to Allow guests to log in to this computer.
Avoid keyloggers at all costs
Keyloggers can severely jeopardize your privacy, so it's best to avoid them at all costs. Installing programs from trustworthy sources and preventing others from having unrestricted access to your Mac can go a long way toward making that happen. A robust anti-malware utility like MacKeeper running in the background will enhance the odds of stopping keyloggers from invading your privacy even further.