Android keyboard app bugs allow remotely infecting devices
Three Android apps with millions of downloads on the Google Play store had several flaws that could allow attackers to remotely execute commands and steal credentials.
Three keyboard and mouse apps for Android devices, Lazy Mouse, Telepad, and PC Keyboard, were riddled with critical vulnerabilities, putting users in danger of losing their data. Free and paid versions of all three apps have close to two million downloads.
The apps were devised to enable users to use their Android device as a remote keyboard and mouse when connected to a computer or another device.
However, the Synopsys Cybersecurity Research Center (CyRC) team discovered weak or even missing authentication and authorization mechanisms and insecure communication vulnerabilities.
“An exploit of the authentication and authorization vulnerabilities could allow remote unauthenticated attackers to execute arbitrary commands. Similarly, an exploit of the insecure communication vulnerability exposes the user’s keystrokes, including sensitive information such as usernames and passwords,” CyRC’s blog post said.
Even though researchers claim the vulnerabilities are related to the same areas of authentication, authorization, and transmission implementations, each app’s failure mechanism was deemed different. That means all three apps need different exploits to abuse their flaws.
The researchers noted they reached out to the app developers several times but did not receive any reply. Report’s authors note that while the apps are widely used, they’re not updated or maintained.
Recently, the Cybernews research team has discovered that thousands of Android apps have hard-coded secrets, meaning that malicious actors could exploit that information for their benefit simply by analyzing publicly available information about apps.
Last year, the team discovered that 14 top Android apps, downloaded by more than 140 million people in total, are leaking user data due to Firebase misconfigurations.