Watch out - these Android remote keyboard apps have serious security flaws

Anyone could be seeing - and noting - whatever you type

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

ThreeAndroidapps designed to let users use their phones as akeyboardfor aworkstationmay be exposing key presses to threat actors and allowing them to execute remote code.

According toBleepingComputer,analysts at electronic design automation (EDA) company Synopsys have found critical vulnerabilities in “PC Keyboard”, “Lazy Mouse”, and “Telepad”, and published anadvisory noticeon its Application Security Blog regarding seven distinct security flaws.

The free and paid versions of these apps, both of which are affected, have a combined install base of over two million. Synopsys didn’t receive a response from any developers of the apps concerned within a 90-day period after first making contact in August 2022, and now recommend uninstalling the apps.

Android remote keyboard app security flaws

“CyRC research uncovered weak or missing authentication mechanisms, missing authorization, and insecure communication vulnerabilities in the three apps,” reads Synopsys’ advisory.

“Although the vulnerabilities are all related to the authentication, authorization, and transmission implementations, each application’s failure mechanism is different.”

The flaws in question are CVE-2022-45477, CVE-2022-45478, CVE-2022-45479, CVE-2022-45480, CVE-2022-45481, CVE-2022-45482 and CVE-2022-45483. Together, they permit unauthenticated users access to the apps’ remote servers and allow them to commit “man in the middle attacks” and read all keystrokes in plaintext.

Lazy Mouse, in particular, doesn’t require a password to be set for the server within the app, and doesn’t set one by default, which is sure to catch out less security conscious users and put them at the risk of exposing sensitive personal data, which could be used against them in a case ofidentity theft.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Check out our list of the best endpoint protection right now>Malicious apps masquerade as Android file managers to spread malware>A fake Android app is turning victims' phones into SMS relays

Plenty of safe remote keyboard apps for Android are listed on theGoogle Play Store.

To avoid accidentally installingmalware, make sure the app comes from there as a trustworthy source, has great user reviews, recommendations from figures in the tech industry, a recent update history, and a description with perfect spelling and grammar.

However, users will only ever be truly safe from compromise if they can guarantee that all of their keystrokes are encrypted. A trustworthy app will usually tout this feature, but you may also find it in the app’s privacy policy, typically available on its Play Store page.

Luke Hughes holds the role of Staff Writer at TechRadar Pro, producing news, features and deals content across topics ranging from computing to cloud services, cybersecurity, data privacy and business software.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time