Critical RCE bugs in Android remote keyboard apps with 2M installs

Three Android applications that allow users to use devices as remote keyboards for their computers have critical vulnerabilities that could expose key presses and enable remote code execution.

The apps are PC Keyboard, Lazy Mouse, and Telepad, and their vulnerable versions (free and paid) and in Google Play they have a combined installation count of more than two million.

PC Keyboard and Lazy Mouse still available on Google Play
PC Keyboard and Lazy Mouse on Google Play (BleepingComputer)

The critical weaknesses were discovered by analysts at Synopsys, who informed the app developers of their findings in August 2022.

The researchers published a security advisory today, after attempting to contact the software vendors again in October 2022 and not getting a reply.

“CyRC research uncovered weak or missing authentication mechanisms, missing authorization, and insecure communication vulnerabilities in the three apps,” reads the advisory.

“Although the vulnerabilities are all related to the authentication, authorization, and transmission implementations, each application’s failure mechanism is different” - Synopsys

The flaws impacting each app are the following:

  • CVE-2022-45477 (9.8 severity rating) – Flaw in Telepad, allowing a remote unauthenticated user to send instructions to the server to execute arbitrary code without requiring authorization or authentication.
  • CVE-2022-45478 (5.1 severity rating) – Telepad flaw allowing an attacker to perform a man-in-the-middle (MITM) attack and read all keypresses in cleartext.
  • CVE-2022-45479 (9.8 severity rating) – PC Keyboard flow allowing a remote unauthenticated user to send instructions to the server to execute arbitrary code without requiring authorization or authentication.
  • CVE-2022-45480 (5.1 severity rating) – PC Keyboard flaw allowing an attacker to perform a man-in-the-middle (MITM) attack and read all keypresses in cleartext.
  • CVE-2022-45481 (9.8 severity rating) – Lack of password requirement in the default configuration of Lazy Mouse, allowing remote unauthenticated users to execute arbitrary code without requiring authorization or authentication.
  • CVE-2022-45482 (9.8 severity rating) – Lazy Mouse server weakness enforcement weak password requirements while not implementing rate limiting, enabling unauthenticated attackers to brute force the PIN and execute arbitrary commands.
  • CVE-2022-45483 (5.1 severity rating) – Lazy Mouse flaw allowing an attacker to perform a man-in-the-middle (MITM) attack and read all keypresses in cleartext.

The three apps are no longer maintained or supported by their developers, so they fit the criteria for defining “abandonware.”

Telepad is no longer on Google Play, but it's available from the official website
Telepad is no longer on Google Play, but can be downloaded from the official website

Continuing using the apps comes with significant risk of exposing sensitive information. Successful exploitation could also enable remote attackers run arbitrary code on the device.

If you’re looking for a remote keyboard app, there are several actively maintained projects on Google Play, many of which have positive user ratings.

Before installing an alternative app, make sure to check user reviews, read the project’s privacy policy carefully, and check the date for the last update. If possible, users should try to confirm that data in transit is encrypted.

Related Articles:

Google paid $10 million in bug bounty rewards last year

Hackers exploit critical RCE flaw in Bricks WordPress site builder

ScreenConnect critical bug now under attack as exploit code emerges

Joomla fixes XSS flaws that could expose sites to RCE attacks

SolarWinds fixes critical RCE bugs in access rights audit solution