How to Check Your Mac for a Keylogger

I noticed something weird last week. My Mac's fan was running constantly, even though I wasn't doing anything intensive. Just sitting there with Safari open, and the thing sounded like it was mining Bitcoin. Turns out a sneaky process was capturing every keystroke in the background, quietly logging everything to a hidden file.

Keyloggers on Mac aren't as rare as people think. They're not always malicious either — sometimes they're parental control software gone rogue, or legitimate monitoring tools that didn't get properly uninstalled. But whether they're there intentionally or not, knowing how to check your Mac for a keylogger is pretty essential these days.

Here's what I've learned from years of poking around macOS internals and building security tools. Most keyloggers leave traces if you know where to look.

What Exactly is a Keylogger on Mac?

A keylogger captures your keystrokes and saves them somewhere. Simple concept, but the implementation varies wildly. Some write to local files, others send data over the network. Some hook into the system at a low level, others request explicit permissions through macOS's privacy system.

The legitimate ones usually show up in System Settings asking for Input Monitoring access. That's Apple's way of making sure you know when something wants to see your typing. But here's the thing — not all keyloggers play by these rules.

Malicious keyloggers often try to bypass the permission system entirely. They'll use kernel extensions (on older macOS versions), exploit vulnerabilities, or trick users into granting permissions they don't understand.

Check Input Monitoring Permissions First

Start with the obvious place. Go to System Settings > Privacy & Security > Input Monitoring. This shows every app that's requested permission to monitor your keyboard and mouse input.

Look through this list carefully. Do you recognize everything? More importantly, do you remember granting these permissions?

I've seen PDF readers in here. Camera apps. Random utilities that have zero business monitoring your keystrokes. One thing that surprised me when building CoreLock's scanner was how many legitimate apps request permissions they absolutely don't need. Camera access for a PDF reader? Come on.

If you see something suspicious, click the toggle to revoke access. The app won't be able to see your keystrokes anymore, though it might complain or stop working properly.

But here's where it gets tricky — some keyloggers don't show up in this list at all. They're either using older APIs or operating at a system level where they don't need explicit permission. That's why we need to dig deeper.

Hunt Through Launch Agents and Daemons

This is where most persistent keyloggers hide. Launch Agents and Launch Daemons are macOS's way of running background processes, and they're perfect for malware that wants to start automatically.

The first thing I do on any new Mac is check what's in ~/Library/LaunchAgents. It's shocking what ends up there after a few months of installing software.

Open Terminal and run:

ls -la ~/Library/LaunchAgents/

You'll see a bunch of .plist files. Each one represents a background process that starts when you log in. Look for names you don't recognize, especially anything with generic names like "com.system.agent" or "com.apple.update" (Apple's real processes have more specific naming).

Check the system-wide locations too:

ls -la /Library/LaunchAgents/
ls -la /Library/LaunchDaemons/
ls -la /System/Library/LaunchAgents/
ls -la /System/Library/LaunchDaemons/

The /System/Library folders contain Apple's own processes, so focus on the other two. Anything in /Library/LaunchDaemons runs with root privileges, which makes it particularly dangerous.

Found something suspicious? You can examine the .plist file to see what program it's launching:

cat ~/Library/LaunchAgents/suspicious.file.plist

Look for the ProgramArguments section. This tells you exactly what executable is being run. If it points to something in a hidden folder or has a weird name, that's a red flag.

Dig Into Process Lists

While you're in Terminal, check what's actually running right now:

ps aux | grep -v grep | sort

This shows all running processes. Look for anything that seems out of place. Keyloggers often have names designed to blend in — things like "systemd" (that's Linux, not macOS), "kerneld", or "syslogd" variations.

Pay special attention to processes running from unusual locations. Most legitimate macOS processes live in /usr/bin/, /usr/sbin/, or inside .app bundles in /Applications/. If you see something running from a random folder in your home directory or /tmp/, investigate further.

You can also use Activity Monitor for a more visual approach. Open it and click the CPU tab. Sort by process name and look for anything unfamiliar. Double-click suspicious processes to see their full path and other details.

Check Network Activity

Many modern keyloggers don't just log locally — they send your data somewhere else. You can monitor network connections to spot this behavior:

lsof -i | grep ESTABLISHED

This shows all active network connections. Look for processes you don't recognize connecting to external servers. Of course, lots of legitimate apps make network connections, so this takes some judgment.

If you find something suspicious, note the process name and research it. A quick Google search often reveals whether something is legitimate or malicious.

Search for Suspicious Files

Keyloggers need to store their captured data somewhere. Common locations include hidden folders in your home directory, /tmp/, or /var/log/.

Check for recently created files in these locations:

find ~/Library -name ".*" -type f -mtime -7
find /tmp -type f -mtime -1
ls -la /var/log/ | head -20

The first command finds hidden files (starting with a dot) in your Library folder that were modified in the last week. The second looks for recent files in /tmp/. The third shows recent log files.

Look for files with generic names, unusual extensions, or files that seem too large for what they should contain. A 50MB text file in a random location is worth investigating.

You can peek at file contents with:

head -20 suspicious_file.txt

If it contains readable text that looks like captured keystrokes, you've found your keylogger's output.

Don't Forget USB Hardware Keyloggers

Software isn't the only way to capture keystrokes. Hardware keyloggers are small devices that plug between your keyboard and computer. They're less common but worth checking for.

The ioreg command shows all connected USB devices:

ioreg -p IOUSB -w0 -l

Look through the output for USB devices you don't recognize. Pay attention to anything described as a "keyboard" that isn't your actual keyboard, or generic USB devices with vague descriptions.

If you have a wired keyboard, physically trace the cable from keyboard to computer. Hardware keyloggers often look like small USB dongles or inline adapters.

Legitimate vs. Malicious: The Gray Area

Here's where things get complicated. Not every keylogger is malicious. Parental control software like Qustodio or Circle legitimately monitors keystrokes. Employee monitoring tools exist for corporate environments. Even accessibility software sometimes captures keyboard input.

The question isn't always "is this a keylogger?" but "do I want this keylogger here?"

Check if you or someone else with access to your Mac installed monitoring software intentionally. Look in /Applications/ for parental control or employee monitoring apps. These usually have legitimate-looking names and proper app bundles.

If you find legitimate monitoring software but don't want it anymore, you'll need to uninstall it properly. Many of these tools scatter files across your system and don't clean up completely when you just drag them to the Trash.

When Keyloggers Hide Really Well

I'll be honest — sophisticated keyloggers can hide pretty effectively. They might use rootkit techniques to hide from process lists, store data in encrypted formats, or masquerade as legitimate system processes.

If you suspect a keylogger but can't find evidence using these methods, consider more advanced tools. Some security scanners can detect hidden processes and suspicious behavior patterns that manual inspection might miss.

This is actually one of the things we built CoreLock to handle — scanning for monitoring software and suspicious processes that don't show up in obvious places. But even with good tools, really advanced malware can sometimes slip through.

What to Do If You Find a Keylogger

Found something suspicious? Don't panic, but do act quickly.

First, change your passwords from a different device. If a keylogger has been recording your typing, assume it captured your login credentials.

For software keyloggers, you'll need to:

1. Kill the running process
2. Remove the associated files
3. Delete any Launch Agent or Launch Daemon .plist files
4. Check for related files scattered around your system

Hardware keyloggers are simpler — just unplug the device.

After removal, monitor your system for a few days. Some keyloggers reinstall themselves or have multiple components. Watch for suspicious network activity, unexpected system behavior, or processes you don't recognize.

The Limitations of DIY Detection

To be fair, this manual approach isn't foolproof. Advanced keyloggers can hide in ways that make detection really difficult. Kernel-level rootkits, for example, can intercept system calls and hide their presence from standard detection methods.

macOS's System Integrity Protection (SIP) makes this harder than it used to be, but it's not impossible. And honestly, if you're dealing with nation-state level surveillance or really sophisticated corporate espionage, you probably need professional help anyway.

For most people dealing with garden-variety spyware or poorly-implemented monitoring software, these techniques should be enough to spot the obvious stuff.

Prevention is Still Better

While knowing how to check your Mac for a keylogger is useful, prevention beats detection every time. Keep your system updated, be careful about what software you install, and pay attention to permission requests.

When apps ask for Input Monitoring access, think carefully about whether they actually need it. That photo editing app probably doesn't need to monitor your keystrokes, regardless of what the installer claims.

Consider using additional security tools that can monitor for suspicious behavior automatically. It's easier than manually checking processes and files every week, and you're more likely to catch things early.

But at the end of the day, the best defense is awareness. Understanding what's normal on your system makes it much easier to spot when something's wrong. Take some time to familiarize yourself with your Mac's typical behavior — then you'll notice when that behavior changes.