Experts have found several flaws in three Android Keyboard apps that can be exploited by remote attackers to compromise a mobile phone.
Researchers at Synopsys Cybersecurity Research Center (CyRC) warn of three Android keyboard apps with a total of two million installs that are affected by multiple flaws (CVE-2022-45477, CVE-2022-45478, CVE-2022-45479, CVE-2022-45480, CVE-2022-45481, CVE-2022-45482, CVE-2022-45483) that can be exploited by attackers to compromise a mobile phone.
Keyboard and mouse applications connect to a server on a desktop or laptop computer and forward mouse and keyboard events to a remote server.
These three Android apps (Lazy Mouse, PC Keyboard and Telepad) are keyboard apps available on the official Google Play Store and are used as a remote keyboard and mouse.
CyRC experts warn of weak or missing authentication mechanisms, missing authorization, and insecure communication vulnerabilities in all three apps.
“An exploit of the authentication and authorization vulnerabilities could allow unauthenticated remote attackers to execute arbitrary commands. Similarly, an exploit of the Insecure Communication vulnerability exposes user keystrokes, including sensitive information such as usernames and passwords. reads the analysis published by CyRC.
“Mouse and keyboard applications use a variety of network protocols to exchange mouse and keystroke instructions. Although the vulnerabilities are all related to authentication, authorization, and forwarding implementations, each application’s failure mechanism is different. CyRC found vulnerabilities that allow authentication bypasses and remote code execution in all three applications, but did not find a single exploit method that applied to all three.
The affected software is:
- Telepad versions 1.0.7 and earlier
- PC keyboard versions 30 and earlier
- Lazy Mouse version 2.0.1 and earlier
Below are the details of the critical vulnerabilities:
CVE-2022-45477
Telepad allows unauthenticated remote users to send instructions to the server to execute arbitrary code without any prior authorization or authentication.
CVE-2022-45479
PC Keyboard allows unauthenticated remote users to send instructions to the server to execute arbitrary code without any prior authorization or authentication.
CVE-2022-45481
Lazy Mouse’s default configuration does not require a password, allowing unauthenticated remote users to execute arbitrary code without prior authorization or authentication.
CVE-2022-45482
The Lazy Mouse server enforces weak password requirements and does not implement rate limiting, allowing unauthenticated remote users to easily and quickly crack the PIN and execute arbitrary commands.
The vulnerabilities were initially disclosed on August 13, 2022 and the CyRC released the advisory as they have yet to receive a response from the development teams behind these apps.
Here is the timeline of these vulnerabilities:
- August 13, 2022: Initial disclosure
- August 18, 2022: Follow-up communication
- October 12, 2022: final follow-up communication
- November 30, 2022: Notice published by Synopsys
“CyRC contacted the developers on several occasions, but did not receive a response within the 90-day period dictated by our responsible disclosure policy. These three apps are widely used but not maintained or supported, and obviously security was not a factor when these apps were developed. concludes the report. “CyRC recommends removing apps immediately.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(Security cases – hacking, android keyboard)
Share on
#Android #keyboard #apps #million #downloads #hack #device #remotely