Android keyboard apps with 2 million downloads can remotely hack your device Security Affairs
Experts found several flaws in three Android Keyboard apps that can be exploited by remote attackers to compromise a mobile phone.
Researchers at Synopsys Cybersecurity Research Center (CyRC) are warning of three Android keyboard apps with a cumulative two million installs affected by multiple flaws (CVE-2022-45477, CVE-2022-45478, CVE-2022-45479, CVE-2022-45480, CVE-2022-45481, CVE-2022-45482, CVE-2022-45483) that can be exploited by attackers to compromise a mobile phone.
Keyboard and mouse apps connect to a server on a desktop or laptop computer and transmit mouse and keyboard events to a remote server.
These three Android apps (Lazy Mouse, PC Keyboard, and Telepad) are keyboard apps available on the official Google Play Store and used as an external keyboard and mouse.
CyRC experts warn of weak or missing authentication mechanisms, lack of authorization and insecure communication vulnerabilities in the three apps.
“An exploitation of the authentication and authorization vulnerabilities could allow remote, unauthenticated attackers to execute arbitrary commands. Similarly, an exploitation of the insecure communication vulnerability exposes the user’s keystrokes, including sensitive information such as usernames and passwords.” reads the analysis published by CyRC.
“Mouse and keyboard applications use a variety of network protocols to exchange mouse and keystroke instructions. Although all of the vulnerabilities are related to authentication, authorization, and transfer implementations, the failure mechanism of each application is different. CyRC found vulnerabilities that enable authentication bypasses and remote execution of code in the three applications, but did not find a single exploit method that applies to all three.”
Affected software is:
- Telepad versions 1.0.7 and earlier
- PC keyboard versions 30 and earlier
- Lazy Mouse versions 2.0.1 and earlier
Below are the details of the critical vulnerabilities:
Telepad allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any prior authorization or authentication.
PC Keyboard allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any prior authorization or authentication.
The default Lazy Mouse configuration does not require a password, allowing remote unauthenticated users to run arbitrary code without prior authorization or authentication.
The Lazy Mouse server enforces weak password requirements and does not implement rate limiting, allowing remote unauthenticated users to easily and quickly brute force the PIN and execute arbitrary commands.
The vulnerabilities were originally disclosed on August 13, 2022, and CyRC reached out to publish the message because they have yet to receive a response from the development teams behind these apps.
This is the timeline of these vulnerabilities:
- August 13, 2022: Initial reveal
- 18 August 2022: Follow-up communication
- 12 October 2022: Final follow-up communication
- November 30, 2022: Advisory published by Synopsys
“CyRC has contacted the developers several times but has not received a response within the 90-day timeline dictated by our responsible disclosure policy. These three applications are widely used, but they are neither maintained nor supported, and clearly security was not a factor when these applications was developed.” concludes the report. “CyRC recommends removing the applications immediately.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(Security matters – hacking, android keyboard)