Skip to content

Three vulnerable Android apps discovered with over 2 million downloads

  • by
  • 2 min read

Photo by Rafapress / Shutterstock.com

A security researcher at Synopsys, Mohammed Alshehri, has discovered three vulnerable Android remote keyboard apps that may leak users’ keystrokes via remote code execution flaws.

The three apps include PC Keyboard and Lazy Mouse, which are available on the Play Store, and Telepad, which can be downloaded via the official website. The apps have a combined total of over two million downloads. 

The following vulnerabilities were found in the three apps. 

App NameVulnerabilitySeverity RatingDescription
TelepadCVE-2022-454779.8Allows a remote user to run arbitrary code on the server without requiring authentication.
TelepadCVE-2022-454785.1Allows an attacker to perform a MITM attack to read keypresses in cleartext.
PC KeyboardCVE-2022-454799.8Allows a remote user to run arbitrary code on the server without requiring authentication.
PC KeyboardCVE-2022-454805.1Allows an attacker to perform a MITM attack to read keypresses in cleartext.
Lazy MouseCVE-2022-454819.8Lack of password requirement. Allows a remote user to run arbitrary code on the server without requiring authentication.
Lazy MouseCVE-2022-454829.8Weak password requirement with no rate implementation. Allows unauthenticated users to brute force the PIN and run arbitrary commands.
Lazy MouseCVE-2022-454835.1Allows an attacker to perform a MITM attack to read keypresses in cleartext.

All three apps seem to be no longer maintained or supported by their developers. The researchers found the vulnerabilities in August and tried contacting the developers. They tried again in October but to no avail, leading to the publication of their advisory.

We strongly recommend removing these apps and looking for alternatives if you’re using them.

Additionally, check the last update an app has received before downloading it, as too long a duration between updates can be unsafe.

In the News: Uniswap unveils NFT aggregator; Genie users get $5 million airdrop

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>