Photo by Rafapress / Shutterstock.com
A security researcher at Synopsys, Mohammed Alshehri, has discovered three vulnerable Android remote keyboard apps that may leak users’ keystrokes via remote code execution flaws.
The three apps include PC Keyboard and Lazy Mouse, which are available on the Play Store, and Telepad, which can be downloaded via the official website. The apps have a combined total of over two million downloads.
The following vulnerabilities were found in the three apps.
App Name | Vulnerability | Severity Rating | Description |
---|---|---|---|
Telepad | CVE-2022-45477 | 9.8 | Allows a remote user to run arbitrary code on the server without requiring authentication. |
Telepad | CVE-2022-45478 | 5.1 | Allows an attacker to perform a MITM attack to read keypresses in cleartext. |
PC Keyboard | CVE-2022-45479 | 9.8 | Allows a remote user to run arbitrary code on the server without requiring authentication. |
PC Keyboard | CVE-2022-45480 | 5.1 | Allows an attacker to perform a MITM attack to read keypresses in cleartext. |
Lazy Mouse | CVE-2022-45481 | 9.8 | Lack of password requirement. Allows a remote user to run arbitrary code on the server without requiring authentication. |
Lazy Mouse | CVE-2022-45482 | 9.8 | Weak password requirement with no rate implementation. Allows unauthenticated users to brute force the PIN and run arbitrary commands. |
Lazy Mouse | CVE-2022-45483 | 5.1 | Allows an attacker to perform a MITM attack to read keypresses in cleartext. |
All three apps seem to be no longer maintained or supported by their developers. The researchers found the vulnerabilities in August and tried contacting the developers. They tried again in October but to no avail, leading to the publication of their advisory.
We strongly recommend removing these apps and looking for alternatives if you’re using them.
Additionally, check the last update an app has received before downloading it, as too long a duration between updates can be unsafe.
In the News: Uniswap unveils NFT aggregator; Genie users get $5 million airdrop