Researchers have discovered a critical remote code execution vulnerabilities in numerous remote keyboard apps for Android. Given their number of downloads, the vulnerable apps risked the safety of over 2 million Android users.
Android Remote Keyboard Apps Vulnerabilities
According to a recent advisory from Synopsys Cybersecurity Research Center (CyRC), they noticed numerous security vulnerabilities in multiple Android remote keyboard apps. In fact, the vulnerable apps even included a remote mouse app too.
Specifically, these apps include Lazy Mouse, Telepad, and PC Keyboard, which enable an Android device to serve as a remote keyboard or mouse for computers. Regarding the vulnerabilities, CyRC spotted the following critical issues with the apps.
- CVE-2022-45477 (CVSS 9.8): This vulnerability in the Telepad app allowed remote unauthenticated users to execute codes on the target server.
- CVE-2022-45479 (CVSS 9.8): A critical severity flaw affecting the PC keyboard app allowing remote unauthenticated users to execute commands on the target server.
- CVE-2022-45481 (CVSS 9.8): A code execution vulnerability in the Lazy Mouse app that allowed access to remote unauthenticated users. This flaw existed due to the absence of a password requirement in the default configuration.
- CVE-2022-45482 (CVSS 9.8): Lack of rate limiting and weak password requirement in the Lazy Mouse app allowed remote unauthenticated attackers to brute force PIN and execute arbitrary commands.
In addition, the researchers also noticed how all three apps exposed data in transit to a potential MiTM attacker positioned between the server and the device. They observed Telepad (CVE-2022-45478; CVSS 5.1), PC Keyboard (CVE-2022-45480; CVSS 5.1), and Lazy Mouse (CVE-2022-45483; CVSS 5.1) transmitting sensitive data, including keypresses, in cleartext.
No Patch Available For All Three Apps
The vulnerabilities typically existed in the Telepad versions 1.0.7 and prior, PC Keyboard versions 30 and prior, and Lazy Mouse versions 2.0.1 and prior. The researchers have explained that despite multiple attempts to contact the developers, they didn’t hear back.
Moreover, the apps do not seem to be under maintenance, which means the vulnerabilities risk the security of active apps’ users. Hence, they urge all users to delete these apps from their devices to avoid potential risks.
Let us know your thoughts in the comments.