Security researchers from Synopsys discovered multiple critical flaws in three Android applications that allow users to manage computer systems using Android devices.
These critical vulnerabilities can also be used by attackers to exploit key presses or to execute (Remote code execution).
These apps have been downloaded more than 2 million times in the combined state. The apps found to be vulnerable include:
- Keyboard for PC
- Lazy Mouse
- Telepad
The findings of Synopsys’ security specialists were shared with app developers in August 2022.
The researchers published their security advisory after contacting software vendors in October 2022, but without success.
that these apps are susceptible to the following flaws, which were introduced by CyRC research.
- Missing authentication mechanisms
- Mansues not authorized
- Unsecure communications
Vulnerabilities
These are some of the weaknesses that can affect every app differently:
-
CVE ID CVE-202-25477
|
Description Telepad lets remote users send commands to the server without authentication or authorization to run arbitrary code. Score 9.8 CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
-
CVE ID CVE-202-25478
|
Description Telepad allows attackers (in man-in the-middle positions between the server, a connected device), to view all data in cleartext (including keypresses). Score: CVSS 3.1 vector: AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
-
CVE ID CVE-2022-45447
|
Description The PC Keyboard lets remote users send commands to the server without authentication or authorization to run arbitrary codes. Score for 9.8 CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
-
CVE ID CVE-2022-454480
|
Description: The keyboard allows attackers (in man-in the-middle positions between the server, a connected device), to view all data in cleartext (including keypresses). Score in CSSS: CVSS 3.1 vector: AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
-
CVE ID CVE-202-25481
|
Description The default configuration for Lazy Mouse doesn’t require passwords. Remote unauthenticated users can execute any code without authorization. Score: 9.8 CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
-
CVE ID CVE-202-25482
|
Description The Lazy Mouse Server enforces weak password requirements, doesn’t implement rate-limiting and allows remote unauthenticated users easily and quickly to brute force their PIN and perform arbitrary commands. Score: 9.8 CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
- CVE ID CVE-202-25483
|
Description Using Lazy Mouse, an attacker can see every data in cleartext (including keypresses), while he is between the server’s and connected devices. Score on CVSS: CVSS 3.1 vector: AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
Timeline
- August 13, 2022: First disclosure
- August 18, 2022: Follow up communication
- November 12, 2022: Last follow-up communication
- December 30, 2022: Synopsys publishes an advisory
Recommendation
Each of the three affected apps’ developers have abandoned the apps. This means that the developers no longer support these apps. They meet all the requirements for abandonware.
These apps can expose sensitive information if they are used regularly. Remote attackers may also be able to execute arbitrary code on your device, if they are successful in exploiting the critical weaknesses.
Before installing any other app, make sure to read and understand the privacy statement. Before installing an alternative app, it is important to read the reviews of each app and verify the date of its last update.
The CyRC strongly recommends that these applications be removed as quickly as possible in order to avoid further exploit.
Pernetration Testing as a Service –
