Researchers have discovered critical remote code execution vulnerabilities in numerous remote keyboard apps for Android. Given their number of downloads, the vulnerable apps have put the security of more than 2 million Android users at risk.
Android Remote Keyboard App Vulnerabilities
According to a recent advisory from Synopsys Cybersecurity Research Center (CyRC), they have noticed numerous security vulnerabilities in several Android remote keyboard apps. In fact, the vulnerable apps even included a remote mouse app.
Specifically, these apps include Lazy Mouse, Telepad, and PC Keyboard, which allow an Android device to act as a remote keyboard or mouse for computers. As for the vulnerabilities, CyRC has spotted the following critical issues with the apps.
- CVE-2022-45477 (CVSS 9.8): This vulnerability in the Telepad application allowed unauthenticated remote users to execute codes on the target server.
- CVE-2022-45479 (CVSS 9.8): A critical vulnerability affecting the PC keyboard application allowing unauthenticated remote users to execute commands on the target server.
- CVE-2022-45481 (CVSS 9.8): A code execution vulnerability in the Lazy Mouse application that allowed access to unauthenticated remote users. This flaw existed due to the lack of a password requirement in the default configuration.
- CVE-2022-45482 (CVSS 9.8): The lack of rate limiting and the requirement for a weak password in the Lazy Mouse app allowed unauthenticated remote attackers to brute force a PIN and execute arbitrary commands.
Additionally, the researchers also noticed how the three apps exposed data in transit to a potential MiTM attacker positioned between the server and the device. They observed Telepad (CVE-2022-45478; CVSS 5.1), PC keyboard (CVE-2022-45480; CVSS 5.1) and lazy mouse (CVE-2022-45483; CVSS 5.1) transmitting sensitive data, including key presses, in clear text.
No patches available for all three apps
The vulnerabilities typically existed in Telepad versions 1.0.7 and earlier, PC Keyboard versions 30 and earlier, and Lazy Mouse versions 2.0.1 and earlier. The researchers explained that despite multiple attempts to contact the developers, they got no response.
Additionally, the apps do not appear to be under maintenance, which means the vulnerabilities put users of active apps at risk. Therefore, they urge all users to remove such apps from their devices to avoid potential risks.
Let us know your thoughts in the comments.
Researchers have discovered critical remote code execution vulnerabilities in numerous remote keyboard apps for Android. Given their number of downloads, the vulnerable apps have put the security of more than 2 million Android users at risk.
Android Remote Keyboard App Vulnerabilities
According to a recent advisory from Synopsys Cybersecurity Research Center (CyRC), they have noticed numerous security vulnerabilities in several Android remote keyboard apps. In fact, the vulnerable apps even included a remote mouse app.
Specifically, these apps include Lazy Mouse, Telepad, and PC Keyboard, which allow an Android device to act as a remote keyboard or mouse for computers. As for the vulnerabilities, CyRC has spotted the following critical issues with the apps.
- CVE-2022-45477 (CVSS 9.8): This vulnerability in the Telepad application allowed unauthenticated remote users to execute codes on the target server.
- CVE-2022-45479 (CVSS 9.8): A critical vulnerability affecting the PC keyboard application allowing unauthenticated remote users to execute commands on the target server.
- CVE-2022-45481 (CVSS 9.8): A code execution vulnerability in the Lazy Mouse application that allowed access to unauthenticated remote users. This flaw existed due to the lack of a password requirement in the default configuration.
- CVE-2022-45482 (CVSS 9.8): The lack of rate limiting and the requirement for a weak password in the Lazy Mouse app allowed unauthenticated remote attackers to brute force a PIN and execute arbitrary commands.
Additionally, the researchers also noticed how the three apps exposed data in transit to a potential MiTM attacker positioned between the server and the device. They observed Telepad (CVE-2022-45478; CVSS 5.1), PC keyboard (CVE-2022-45480; CVSS 5.1) and lazy mouse (CVE-2022-45483; CVSS 5.1) transmitting sensitive data, including key presses, in clear text.
No patches available for all three apps
The vulnerabilities typically existed in Telepad versions 1.0.7 and earlier, PC Keyboard versions 30 and earlier, and Lazy Mouse versions 2.0.1 and earlier. The researchers explained that despite multiple attempts to contact the developers, they got no response.
Additionally, the apps do not appear to be under maintenance, which means the vulnerabilities put users of active apps at risk. Therefore, they urge all users to remove such apps from their devices to avoid potential risks.
Let us know your thoughts in the comments.