Three Android apps designed to let users use their phone as a desktop keyboard can expose keystrokes to threat actors and allow them to remotely execute code.
According to BleepingComputer(opens in a new tab), analysts at electronic design automation (EDA) company Synopsys found critical vulnerabilities in "PC Keyboard", "Lazy Mouse", and "Telepad", and issued an advisory opinion (it is opens in a new tab). tab) on his application security blog regarding seven separate security vulnerabilities.
The free and paid versions of these apps, both affected, have a combined installed base of more than two million. Synopsys has not received a response from any developer of the affected apps within 90 days of first contact in August 2022, and now recommends uninstalling the apps.
Android Remote Keyboard App Security Vulnerabilities
"CyRC's investigation revealed weak or missing authentication mechanisms, missing authorization, and insecure communication vulnerabilities in all three applications," the Synopsys advisory reads.
"While all of the vulnerabilities are related to authentication, authorization, and forwarding implementations, each application's failure mechanism is different."
The flaws in question are CVE-2022-45477, CVE-2022-45478, CVE-2022-45479, CVE-2022-45480, CVE-2022-45481, CVE-2022-45482, and CVE-2022-45483. Together, they allow unauthenticated users to access remote application servers and allow them to commit "man-in-the-middle attacks" and read all keystrokes in the clear.
Lazy Mouse, in particular, doesn't require setting a password for the server in the app, and doesn't set one by default, which is sure to trap less security-conscious users and put them at risk of exposing sensitive information. personal data, which could be used against you in case of identity theft.
Many secure remote keyboard apps for Android are listed on the Google Play Store.
To prevent accidental installation of malware, make sure the app comes from there as a trusted source, has great user reviews, recommendations from tech industry personalities, update history from the last few days, and a description with perfect spelling and grammar. .
However, users will only be truly safe if they can guarantee that all their keystrokes are encrypted. A trusted app usually promotes this feature, but you can also find it in the app's privacy policy, usually available on its Play Store page.