A number of unpatched vulnerabilities have been found in three Android apps that enable a smartphone for use as a distant keyboard and mouse.
The apps in query are Lazy Mouse, PC Keyboard, and Telepad, which have been cumulatively downloaded over two million occasions from the Google Play Retailer. Telepad is not out there by way of the app market however might be downloaded from its web site.
- Lazy Mouse (com.ahmedaay.lazymouse2 and com.ahmedaay.lazymousepro)
- PC Keyboard (com.beapps.pckeyboard)
- Telepad (com.pinchtools.telepad)
Whereas these apps perform by connecting to a server on a desktop and transmitting to it the mouse and keyboard occasions, the Synopsys Cybersecurity Analysis Middle (CyRC) discovered as many as seven flaws associated to weak or lacking authentication, lacking authorization, and insecure communication.
The problems (from CVE-2022-45477 by way of CVE-2022-45483), in a nutshell, could possibly be exploited by a malicious actor to execute arbitrary instructions sans authentication or harvest delicate data by exposing customers’ keystrokes in cleartext.
The Lazy Mouse server additional suffers from a weak password coverage and does not implement price limiting, enabling distant unauthenticated attackers to trivially brute-force the PIN and execute rogue instructions.
It is price noting that not one of the apps have obtained any updates for over two years, making it crucial that customers take away the apps with quick impact.
“These three functions are extensively used however they’re neither maintained nor supported, and evidently, safety was not an element when these functions have been developed,” Synopsys safety researcher Mohammed Alshehri stated.
