Experts have discovered multiple flaws in three Android keyboard apps that could be exploited by remote attackers to compromise phones.
Researchers at Synopsys Cyber Security Research Center (CyRC) warn that three Android keyboard apps with 2 million cumulative installs are affected by multiple flaws (CVE-2022-45477, CVE-2022-45478, CVE-2022-45479, CVE-2022-45480, CVE-2022-45481, CVE-2022-45482, CVE-2022-45483) can be exploited by an attacker to compromise the phone.
The keyboard and mouse application connects to the server on the desktop or laptop and transmits mouse and keyboard events to the remote server.
These three Android apps (Lazy Mouse, PC Keyboard, and Telepad) are keyboard apps available on the official Google Play Store that work as remote keyboards and mice.
CyRC experts warned of weak or missing authentication mechanisms, missing authorization, and insecure communication vulnerabilities in the three apps.
“Exploitation of authentication and authorization vulnerabilities could allow an unauthenticated remote attacker to execute arbitrary commands. Similarly, exploitation of insecure communications vulnerabilities could expose user keystrokes, including sensitive information such as usernames and passwords.” Read the analysis published by CyRC .
“Mouse and keyboard applications use various network protocols to exchange mouse and keystroke commands. While the vulnerabilities are all related to authentication, authorization, and transport implementations, the failure mechanism is different for each application. Vulnerabilities allowing authentication bypass and remote code execution were found in , but no single exploit was found for all three applications.”
Affected software is:
- Telepad version 1.0.7 and earlier
- PC keyboard version 30 and earlier
- Lazy Mouse version 2.0.1 and earlier
Here are the details of the critical vulnerabilities:
Telepad allows remote unauthenticated users to send instructions to a server to execute arbitrary code without any prior authorization or authentication.
PC Keyboard allows unauthenticated remote users to send commands to a server to execute arbitrary code without any prior authorization or authentication.
Lazy Mouse’s default configuration does not require a password, allowing unauthenticated remote users to execute arbitrary code without prior authorization or authentication.
The Lazy Mouse server enforces weak password requirements and does not enforce rate limiting, allowing remote unauthenticated users to easily and quickly brute force PINs and execute arbitrary commands.
The vulnerabilities were originally disclosed on August 13, 2022, and CyRC reached out with the advisory because they have yet to receive a response from the development team behind these apps.
Here’s a timeline of the vulnerabilities:
- August 13, 2022: Initial disclosure
- August 18, 2022: Follow-up communication
- October 12, 2022: Final follow-up communication
- November 30, 2022: Announcement from Synopsys
“CyRC contacted the developers multiple times but did not hear back within the 90-day period set out in our Responsible Disclosure Policy. These three apps are widely used, but they are neither maintained nor supported, apparently, in Security was not a consideration when developing these applications,” concluded the report. “CyRC recommends immediate removal of these apps.”
Follow me on Twitter: @securityaffairs and Facebook and mastodon
(security affairs – Hacking, Android Keyboard)