Three Android apps designed to let users use their phones as a keyboard for a workstation can expose keystrokes to threat actors and allow them to execute remote code.

According to Beeping computer (opens in new tab), analysts from Electronic Design Automation (EDA) company Synopsys have found critical vulnerabilities in “PC Keyboard”, “Lazy Mouse” and “Telepad”, and published a advisory notice (opens in new tab) on his Application Security Blog about seven different security flaws.

The free and paid versions of these apps, both of which are affected, have a combined install base of more than two million. Synopsys has not received a response from developers of the affected apps within a 90-day period of initial contact in August 2022 and is now recommending that the apps be removed.

Security flaws in Android remote keyboard app

“CyRC investigation revealed weak or missing authentication mechanisms, missing authorization and insecure communication vulnerabilities in the three apps,” Synopsys advises.

“While the vulnerabilities are all related to the authentication, authorization and transmission implementations, each application’s failure mechanism is different.”

The flaws in question are CVE-2022-45477, CVE-2022-45478, CVE-2022-45479, CVE-2022-45480, CVE-2022-45481, CVE-2022-45482, and CVE-2022-45483. Together, they allow unauthenticated users to access the apps’ remote servers and allow them to perform “man-in-the-middle attacks” and read all keystrokes in plaintext.

In particular, Lazy Mouse does not require a password to be set for the server in the app, nor does it set one by default, which is sure to overwhelm less security-conscious users and risk exposing sensitive personal data that could be used against them. used in case of identity theft

.

Plenty of secure remote keyboard apps for Android are listed in the Google Play Store.

To prevent accidental installation malwaremake sure the app comes from there as a reliable source, has great user reviews, recommendations from tech industry figures, a recent update history, and a description with perfect spelling and grammar.

However, users are only really safe from compromise if they can guarantee that all their keystrokes are encrypted. A reputable app will usually tout this feature, but you can also find it in the app’s privacy policy, usually available on the Play Store page.

