Multiple unpatched vulnerabilities have been found in three Android apps that enable a smartphone for use as a distant keyboard and mouse.
The apps in query are Lazy Mouse, PC Keyboard, and Telepad, which have been cumulatively downloaded over two million instances from the Google Play Store. Telepad is now not accessible via the app market however will be downloaded from its web site.
- Lazy Mouse (com.ahmedaay.lazymouse2 and com.ahmedaay.lazymousepro)
- PC Keyboard (com.beapps.pckeyboard)
- Telepad (com.pinchtools.telepad)
While these apps operate by connecting to a server on a desktop and transmitting to it the mouse and keyboard occasions, the Synopsys Cybersecurity Research Center (CyRC) discovered as many as seven flaws associated to weak or lacking authentication, lacking authorization, and insecure communication.
The points (from CVE-2022-45477 via CVE-2022-45483), in a nutshell, might be exploited by a malicious actor to execute arbitrary instructions sans authentication or harvest delicate data by exposing customers’ keystrokes in cleartext.
The Lazy Mouse server additional suffers from a weak password coverage and would not implement fee limiting, enabling distant unauthenticated attackers to trivially brute-force the PIN and execute rogue instructions.
It’s value noting that not one of the apps have obtained any updates for over two years, making it crucial that customers take away the apps with fast impact.
“These three purposes are extensively used however they’re neither maintained nor supported, and evidently, safety was not an element when these purposes had been developed,” Synopsys safety researcher Mohammed Alshehri mentioned.