Security
Headlines
HeadlinesLatestCVEs

Headline

Time to uninstall! Abandoned Android apps pack a vulnerability punch

Categories: News Tags: CVE

Tags: android

Tags: apps

Tags: abandonware

Tags: vulnerability

Tags: bug

Tags: telepad

Tags: pc keyboard

Tags: lazy mouse

Three abandoned Android apps with remote code execution vulnerabilities need to be shown the door.

(Read more…)

The post Time to uninstall! Abandoned Android apps pack a vulnerability punch appeared first on Malwarebytes Labs.

Malwarebytes
#vulnerability#android#mac#google#rce#auth

Posted: December 2, 2022 by

Synopsis has published an advisory warning of multiple vulnerabilities across three different Android remote mouse and keyboard apps with a combined install count of about two million. The apps are at risk from remote code execution (RCE), and there’s no sign of a fix coming anytime, ever.

Bleeping Computer notes that the issues were first discovered and reported to the developers in August. The advisory has been published after the developers failed to respond. If you have any of these apps on your mobile device, it’s probably well past the point where you should consider replacing them.

Which apps are affected?

The apps impacted by the details in the advisory are as follows:

  • Telepad versions 1.0.7 and prior
  • Lazy Mouse versions 2.0.1 and prior
  • PC Keyboard versions 30 and prior

The three apps are reported to be abandonware, which makes it even more essential to get word out with regard to the security issues at hand. With so many supported apps to choose from, there really is no need to stick to apps like these which are easily replaceable. It’s worth noting that these apps aren’t just available on Google Play.

Searching for them reveals multiple download locations elsewhere. If you find “updated” versions of the software elsewhere, do not install them. Criminals often disguise their malware as apps that are popular on Google Play and spread them on third-party markets. Having an app with a known RCE vulnerability is bad. Swapping it for one that has a known RCE vulnerability and may also contain malware is worse.

A list of CVE problems

There are seven Common Vulnerabilities and Exposures (CVEs) listed, with four of them racking up a 9.8 severity rating. The four big hitters listed by Synopsis are as follows:

CVE-2022-45477

Telepad allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication.

CVE-2022-45479

PC Keyboard allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication.

CVE-2022-45481

The default configuration of Lazy Mouse does not require a password, allowing remote unauthenticated users to execute arbitrary code with no prior authorization or authentication.

CVE-2022-45482

The Lazy Mouse server enforces weak password requirements and doesn’t implement rate limiting, allowing remote unauthenticated users to easily and quickly brute force the PIN and execute arbitrary commands.

The other three are CVE-2022-45478, CVE-2022-45480, and CVE-2022-45483 respectively, which all involve machine-in-the-middle attacks and reading all keypresses in cleartext.

What’s the fix for this?

As noted above, there isn’t one other than deleting the applications. Despite initial outreach to the developers on August 13, further attempts at communication a few days later, and then one last attempt on October 12, no response was forthcoming.

The developers may no longer be taking an interest, but we strongly advise users to do so and make the right decision for their devices.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

RELATED ARTICLES

Related news

CVE-2022-45480: CyRC Vulnerability Advisory: Remote code execution vulnerabilities in mouse and keyboard apps

PC Keyboard WiFi & Bluetooth allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext. CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2022-45480: CyRC Vulnerability Advisory: Remote code execution vulnerabilities in mouse and keyboard apps

PC Keyboard WiFi & Bluetooth allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext. CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2022-45480: CyRC Vulnerability Advisory: Remote code execution vulnerabilities in mouse and keyboard apps

PC Keyboard WiFi & Bluetooth allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext. CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2022-45480: CyRC Vulnerability Advisory: Remote code execution vulnerabilities in mouse and keyboard apps

PC Keyboard WiFi & Bluetooth allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext. CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2022-45480: CyRC Vulnerability Advisory: Remote code execution vulnerabilities in mouse and keyboard apps

PC Keyboard WiFi & Bluetooth allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext. CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2022-45480: CyRC Vulnerability Advisory: Remote code execution vulnerabilities in mouse and keyboard apps

PC Keyboard WiFi & Bluetooth allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext. CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2022-45480: CyRC Vulnerability Advisory: Remote code execution vulnerabilities in mouse and keyboard apps

PC Keyboard WiFi & Bluetooth allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext. CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Watch Out! These Android Keyboard Apps With 2 Million Installs Can be Hacked Remotely

Multiple unpatched vulnerabilities have been discovered in three Android apps that allow a smartphone to be used as a remote keyboard and mouse. The apps in question are Lazy Mouse, PC Keyboard, and Telepad, which have been cumulatively downloaded over two million times from the Google Play Store. Telepad is no longer available through the app marketplace but can be downloaded from its website.

Watch Out! These Android Keyboard Apps With 2 Million Installs Can be Hacked Remotely

Multiple unpatched vulnerabilities have been discovered in three Android apps that allow a smartphone to be used as a remote keyboard and mouse. The apps in question are Lazy Mouse, PC Keyboard, and Telepad, which have been cumulatively downloaded over two million times from the Google Play Store. Telepad is no longer available through the app marketplace but can be downloaded from its website.