In three Android applications that allow the use of a smartphone as a wireless keyboard or mouse, seven dangerous vulnerabilities were found. We are talking about the applications Lazy Mouse, PC Keyboard and Telepad, which in total have more than 2 million downloads on Google Play.
Brash in defense were discovered in August this year by researchers from Synopsys, who unsuccessfully tried to contact the developers. However, after several unsuccessful attempts, the researchers simply published
CVE-2022-45479 (9.8 points of 10 on the CVSS scale) is a vulnerability to PC Keyboard, which allows a remote unauthorized user to send instructions for the server for executing arbitrary code;
CVE-2022-45480 (5.1 points out of 10 on the CVSS scale) is a vulnerability to PC Keyboard, which allows the attacker to attack the “Man in the middle” (MITM) and get all the clicks of the keys in the form of a simple text;
CVE-2022-45481 (9.8 points of 10 on the CVSS scale)-the lack of the need to set the password in the standard Lazy Mouse configuration, which allows hackers to execute malicious code without authorization;
CVE-2022-45482 (9.8 points of 10 on the CVSS scale)-vulnerability in the Lazy Mouse server, which allows you to easily conduct brubors-attacks;
CVE-2022-45483 (5.1 points out of 10 on the CVSS scale) is a vulnerability to Lazy Mouse, allowing the attacker to conduct an attack “Man in the middle” (MITM) and get all the clicks of keys in the form of a simple text;
It is worth noting that none of the applications considered received updates for more than two years, so experts recommend that users delete these applications as soon as possible.