Three Android applications that allow users to use devices as external keyboards for their computers have critical vulnerabilities that could expose keystrokes and allow remote code execution.
The apps are PC Keyboard, Lazy Mouse and Telepad, and their vulnerable versions (free and paid) and in Google Play they have a combined number of installs of over two million.
The critical weaknesses were discovered by Synopsys analysts, who notified the app developers of their findings in August 2022.
The researchers released a security advisory today, after trying to contact the software vendors again in October 2022 and getting no response.
“CyRC investigation revealed weak or missing authentication mechanisms, missing authorization and insecure communication vulnerabilities in the three apps,” the advisory reads.
“While the vulnerabilities are all related to the authentication, authorization and transmission implementations, each application’s failure mechanism is different” – Synopsys
The flaws that affect each app are the following:
- CVE-2022-45477 (severity score 9.8) – Flaw in Telepad, allowing an unauthenticated remote user to send instructions to the server to execute arbitrary code without authorization or authentication.
- CVE-2022-45478 (5.1 severity) – Telepad flaw that could allow an attacker to perform a man-in-the-middle (MITM) attack and read all keystrokes in plaintext.
- CVE-2022-45479 (severity score 9.8) – PC keyboard stream that allows an unauthenticated remote user to send instructions to the server to execute arbitrary code without authorization or authentication.
- CVE-2022-45480 (severity score 5.1) – PC keyboard bug that could allow an attacker to perform a man-in-the-middle (MITM) attack and read all keystrokes in plaintext.
- CVE-2022-45481 (severity score 9.8) – No password requirement in the default configuration of Lazy Mouse, allowing unauthenticated users to remotely execute arbitrary code without authorization or authentication.
- CVE-2022-45482 (severity score 9.8) – Lazy Mouse server weakness enforces weak password requirements without implementing rate throttling, allowing unauthenticated attackers to brute force the PIN and execute arbitrary commands.
- CVE-2022-45483 (severity score 5.1) – Lazy Mouse bug that allows an attacker to perform a man-in-the-middle (MITM) attack and read all keystrokes in plaintext.
The three apps are no longer maintained or supported by their developers, so they meet the criteria for defining “abandonware”.
Continuing to use the apps carries a significant risk of sensitive information being disclosed. Successful exploitation can also allow remote attackers to execute arbitrary code on the device.
If you’re looking for a remote keyboard app, there are several actively maintained projects on Google Play, many of which have positive user reviews.
Before installing any alternative app, you should check the user reviews, carefully read the privacy policy of the project and check the date of the last update. If possible, users should try to confirm that data is encrypted in transit.