Reports by Synopsys Cybersecurity Research Center have found that three applications that are available in the google play store for android have multiple vulnerabilities.
Lazy Mouse, Telepad, and PC Keyboard are apps that allow users to connect to a server on a desktop or laptop and transmit mouse and keyboard events to the server. More than two million people have downloaded all three of these apps from Google Play, both for free and for money.
The three apps have a poor or absent authorisation, missing authentication, and unsecured communication issues, according to CyRC report. The authentication and authorisation flaws could be exploited to give remote, unauthenticated attackers the ability to issue arbitrary instructions. Similar to this, a vulnerability in insecure communication can be exploited to reveal the user’s keystrokes, including private data like usernames and passwords.
Various network protocols are used to exchange mouse and keystroke instructions in these types of applications. It should be noted that even though the vulnerabilities are around the authentication, authorization, and transmission implementations, the mechanism of each app’s failure is different.
The CyRC discovered flaws in the three applications that allow for authentication bypasses and remote code execution, but it was unable to identify a single technique of exploitation that could be used to exploit them all.
These three applications are frequently used, but they are not supported or maintained, and it is clear that security was not taken into consideration when they were designed. The CyRC advises deleting the programmes right away.
While Google tries its best to weed out most applications that pose a cyber threat to users, many apps still end up with vulnerabilities that threat actors when presented with the opportunity would use against them.
