Shocked mobile face

Time to uninstall! Abandoned Android apps pack a vulnerability punch

Synopsis has published an advisory warning of multiple vulnerabilities across three different Android remote mouse and keyboard apps with a combined install count of about two million. The apps are at risk from remote code execution (RCE), and there’s no sign of a fix coming anytime, ever.

Bleeping Computer notes that the issues were first discovered and reported to the developers in August. The advisory has been published after the developers failed to respond. If you have any of these apps on your mobile device, it’s probably well past the point where you should consider replacing them.

Which apps are affected?

The apps impacted by the details in the advisory are as follows:

  • Telepad versions 1.0.7 and prior
  • Lazy Mouse versions 2.0.1 and prior
  • PC Keyboard versions 30 and prior

The three apps are reported to be abandonware, which makes it even more essential to get word out with regard to the security issues at hand. With so many supported apps to choose from, there really is no need to stick to apps like these which are easily replaceable. It’s worth noting that these apps aren’t just available on Google Play.

Searching for them reveals multiple download locations elsewhere. If you find “updated” versions of the software elsewhere, do not install them. Criminals often disguise their malware as apps that are popular on Google Play and spread them on third-party markets. Having an app with a known RCE vulnerability is bad. Swapping it for one that has a known RCE vulnerability and may also contain malware is worse.

A list of CVE problems

There are seven Common Vulnerabilities and Exposures (CVEs) listed, with four of them racking up a 9.8 severity rating. The four big hitters listed by Synopsis are as follows:

CVE-2022-45477

Telepad allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication.

CVE-2022-45479

PC Keyboard allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication.

CVE-2022-45481

The default configuration of Lazy Mouse does not require a password, allowing remote unauthenticated users to execute arbitrary code with no prior authorization or authentication.

CVE-2022-45482

The Lazy Mouse server enforces weak password requirements and doesn’t implement rate limiting, allowing remote unauthenticated users to easily and quickly brute force the PIN and execute arbitrary commands.

The other three are CVE-2022-45478, CVE-2022-45480, and CVE-2022-45483 respectively, which all involve machine-in-the-middle attacks and reading all keypresses in cleartext.

What’s the fix for this?

As noted above, there isn’t one other than deleting the applications. Despite initial outreach to the developers on August 13, further attempts at communication a few days later, and then one last attempt on October 12, no response was forthcoming.

The developers may no longer be taking an interest, but we strongly advise users to do so and make the right decision for their devices.

Stay safe out there!


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.