"Android Keyboard App Bugs Allow Remotely Infecting Devices"

Three Android apps with millions of downloads on the Google Play store, Lazy Mouse, Telepad, and PC Keyboard, had several flaws that could allow attackers to remotely execute commands and steal credentials. These were riddled with critical flaws, putting users at risk of losing their data. All three apps have nearly two million downloads in both free and paid versions. When connected to a computer or another device, the apps allow users to use their Android device as a remote keyboard and mouse. However, the Synopsys Cybersecurity Research Center (CyRC) team discovered insecure communication vulnerabilities as well as weak or missing authentication and authorization mechanisms. Exploiting the authentication and authorization flaws could enable unauthenticated remote attackers to execute arbitrary commands. The exploitation of the insecure communication vulnerability exposes the user's keystrokes, including sensitive information such as usernames and passwords. Although the researchers say the flaws are related to the same authentication, authorization, and transmission implementations, each app's failure mechanism was determined to be unique. Each of the three apps requires a different exploit to take advantage of their flaws. The researchers stated that they contacted the app developers several times but received no response. While the apps are widely used, the researchers note that they are not updated or maintained. This article continues to discuss findings and observations regarding the Android keyboard app bugs.

Cybernews reports "Android Keyboard App Bugs Allow Remotely Infecting Devices"