According to a researcher named, Christopher Le Roux, the smartphone app named Wi-Fi Mouse, which enables users to monitor the mouse movements on their PC or Mac with a phone or tablet, has an unpatched bug, which encourages opponents to sabotage computers. The impact of the associated "server software" of the Android app is the Wi-Fi Mouse, which is required for installation on a Windows system, that enables the moving desktop app to regulate the mouse. The bug enables an opponent with a popular Wi-Fi network to fully access the Windows PC via a software-opened communication port. 

The unpatched bug doesn't affect the Android smartphone operating the Wi-Fi Mouse program, as per Le Roux's analysis. The application has been installed more than 100,000 times, according to the developer's overview of the Google Play platform for Wi-Fi Mouse. And according to the developer, the bug is linked to the Windows desktop applications which have a poor password and PIN protection. 

“The password/PIN option in the Windows Desktop app does not prevent remote control of a target running the software,” stated Le Roux. “I believe this may be an oversight on the part of the developer.” 

While attempting to pair the smartphone operating on Wi-Fi Mouse with the corresponding Wi-Fi Desktop Program, the researcher said that the application doesn't really appropriately request smartphone app users to enter a password or PIN. The absence of encryption gives a possible rogue user the chance to use Wi-Fi Mouse's open data port, Le Roux added.

“The Wi-Fi Mouse mobile app scans for and connects to hosts with TCP port 1978 open. Upon connecting the desktop server responds with OS information and the handshake is complete,” he wrote. “From within the mobile app, you have a mouse touchpad option as well as a file explorer. The file explorer allows a user to ‘open’ any file on the System. This includes executable files such as cmd.exe or powershell.exe, which will open each command terminal, respectively.” 

It is as simple to send ASCII characters as HEX with covering on either side accompanied by a packet to type the main unrestricted access to the targeted device. Particularly since there's no authentication between server and application this procedure is fast and simple to program. An opponent only requires the Wi-Fi Mouse application, which can be used on a targeted PC – no smartphone application is necessary. 

“Sadly, the app can be easily mimicked even if it is not installed or on the network. The Wi-Fi Mouse desktop server will accept any connection so long as it is running on an endpoint and the firewall isn’t blocking its listening port 1978,” Le Roux said. An opponent will use the Windows system to run a simple command, to download a running program from an HTTP server, and execute it on the PC of the goal to get the remote shell. 

“An attacker could still feasibly exploit a Unix-based system with minimal effort,” he wrote.