Three Android apps with over 2 million combined downloads have been found to have critical vulnerabilities that could result in remote code execution. These applications, Lazy Mouse, Telepad, and PC Keyboard, act as a remote keyboard or mouse for a desktop or laptop computer from the Android device they are installed on. Seven different vulnerabilities have been found across these three apps due to poor authentication and authorisation control, and insecure communication of keystrokes, found in each app. Affected versions include Telepad version 1.0.7 and previous, PC Keyboard version 30 and previous, and Lazy Mouse version 2.0.1 and previous. 

Four of the identified vulnerabilities have been given a critical severity rating, and a CVSS score of 9.8. This includes the vulnerabilities CVE-2022-45477 found in Telepad, and CVE-2022-45479 in PC Keyboard, both of which if exploited would allow for an unauthenticated remote user to send instructions to the server to execute arbitrary code without any authentication or authorisation requirements. CVE-2022-45481 in Lazy Mouse can be exploited due to the default lack of password requirement, which can similarly lead to unauthenticated users performing remote code execution. The final critical severity flaw CVE-2022-45482, also in Lazy Mouse, is due to weak password requirements and enforcements of the server, as well as no rate limiting being present. Unauthenticated attackers can exploit this vulnerability by brute force to determine the necessary PIN, after which they are capable of again executing arbitrary commands.   

The final three vulnerabilities, CVE-2022-45478 in Telepad, CVE-2022-45480 in PC Keyboard, and CVE-2022-45483 in Lazy Mouse, are all medium severity flaws, with a CVSS base score of 5.1. An exploit of these vulnerabilities allows for a Man-in-the-Middle attack to occur, in which the attackers can intercept and read all data sent by the application to the server in cleartext, including all keypresses. Although all these vulnerabilities are similar, they are tracked separately, as each failure mechanism in each application is different, and no single exploit has been found that could be applied to all three applications.  

These vulnerabilities were all found back in August 2022 by a security researcher at Synopsys Cybersecurity Research Center, who then disclosed their findings to the developers. However, these applications are no longer actively supported or maintained by their developers, and so no updates or remediations for these vulnerabilities will be issued. Synopsys published a security advisory about these applications last week to raise awareness of this fact as these apps are widely as both paid and free versions. The only mitigation for these vulnerabilities is to discontinue the use of all three of these applications and remove them permanently from all devices.