Android Keyboard Apps with 2 Million downloads can remotely hack your device

Experts found multiple flaws in three Android Keyboard apps that can be exploited by remote attackers to compromise a mobile phone.

Researchers at the Synopsys Cybersecurity Research Center (CyRC) warn of three Android keyboard apps with cumulatively two million installs that are affected by multiple flaws (CVE-2022-45477, CVE-2022-45478, CVE-2022-45479, CVE-2022-45480, CVE-2022-45481, CVE-2022-45482, CVE-2022-45483) that can be exploited by attackers to compromise a mobile phone.

Keyboard and mouse apps connect to a server on a desktop or laptop computer and transmit mouse and keyboard events to a remote server.

These three Android apps (Lazy Mouse, PC Keyboard, and Telepad) are Keyboard apps available on the official Google Play Store and are used as remote keyboard and mouse.

CyRC experts warn of weak or missing authentication mechanisms, missing authorization, and insecure communication vulnerabilities in the three apps.

“An exploit of the authentication and authorization vulnerabilities could allow remote unauthenticated attackers to execute arbitrary commands. Similarly, an exploit of the insecure communication vulnerability exposes the user’s keystrokes, including sensitive information such as usernames and passwords.” reads the analysis published by CyRC.

“Mouse and keyboard applications use a variety of network protocols to exchange mouse and keystroke instructions. Although the vulnerabilities are all related to the authentication, authorization, and transmission implementations, each application’s failure mechanism is different. The CyRC found vulnerabilities that enable authentication bypasses and remote code execution in the three applications, but did not find a single method of exploitation that applies to all three.”

Impacted software are:

• Telepad versions 1.0.7 and prior
• PC Keyboard versions 30 and prior
• Lazy Mouse versions 2.0.1 and prior

Below are the details of the critical vulnerabilities:

CVE-2022-45477
Telepad allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication.

CVE-2022-45479
PC Keyboard allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication.

CVE-2022-45481
The default configuration of Lazy Mouse does not require a password, allowing remote unauthenticated users to execute arbitrary code with no prior authorization or authentication.

CVE-2022-45482
The Lazy Mouse server enforces weak password requirements and doesn’t implement rate limiting, allowing remote unauthenticated users to easily and quickly brute force the PIN and execute arbitrary commands.

The vulnerabilities were initially disclosed on August 13, 2022 and the CyRC reached published the advisory because they have yet to receive a response from the development teams behind these apps.

This is the timeline for these vulnerabilities:

• August 13, 2022: Initial disclosure
• August 18, 2022: Follow-up communication
• October 12, 2022: Final follow-up communication
• November 30, 2022: Advisory published by Synopsys

“The CyRC reached out to the developers multiple times but has not received a response within the 90 day timeline dictated by our responsible disclosure policy. These three applications are widely used but they are neither maintained nor supported, and evidently, security was not a factor when these applications were developed.” concludes the report. “The CyRC recommends removing the applications immediately.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Android Keyboard)

[adrotate banner=”5″]

[adrotate banner=”13″]