[UPDATED] Samsung appears to be installing keyloggers on new computers they sell.

Samsung Logo

Luuuuucccyyy! You got some 'splanin' to do!

Bought a Samsung computer recently? Might want to run a malware check on it as it appears they may be intentionally installing a keylogger on it without telling you. Security consultant Mohamed Hassan has written an article for Network World that explains how he discovered the software on two new Samsung computers he purchased:

While setting up a new Samsung computer laptop with model number R525 in early February 2011, I came across an issue that mirrored what Sony BMG did six years ago.  After the initial set up of the laptop, I installed licensed commercial security software and then ran a full system scan before installing any other software. The scan found two instances of a commercial keylogger called StarLogger installed on the brand new laptop. Files associated with the keylogger were found in a c:\windows\SL directory.

According to a Starlogger description, StarLogger records every keystroke made on your computer on every window, even on password protected boxes.

Hassan removed the software and continued on his merry way until some system trouble prompted him to return the laptop and purchase another higher-end Samsung from a different store. When he got home he found that it also had the StarLogger software on it:

Again, after the initial set up of the laptop, I found the same StarLogger software in the c:\windows\SL folder of the new laptop. The findings are false-positive proof since I have used the tool that discovered it for six years now and I am yet to see it misidentify an item throughout the years. The fact that on both models the same files were found in the same location supported the suspicion that the hardware manufacturer, Samsung, must know about this software on its brand-new laptops.

Once might have been an anomaly, but twice makes it pretty clear that this was by design. Given the fiasco with the Sony BMG rootkit a couple of years back you’d think Samsung would know better than to pull something like this, but, just like Sony before them, they tried to claim no knowledge of the software:

On March 1, 2011, I called and logged incident 2101163379 with Samsung Support (SS). First, as Sony BMG did six years ago, the SS personnel denied the presence of such software on its laptops. After having been informed of the two models where the software was found and the location, SS changed its story by referring the author to Microsoft since “all Samsung did was to manufacture the hardware.” When told that did not make sense, SS personnel relented and escalated the incident to one of the support supervisors.

The supervisor who spoke with me was not sure how this software ended up in the new laptop thus put me on hold. He confirmed that yes, Samsung did knowingly put this software on the laptop to, as he put it, “monitor the performance of the machine and to find out how it is being used.”

In other words, Samsung wanted to gather usage data without obtaining consent from laptop owners.

Yeah, that’s a bullshit answer. Keyloggers don’t monitor performance, they monitor your fucking keyboard. Hence the name KEYLOGGER. This particular keylogger is also capable of taking screenshots and emailing them along with the captured data without you ever knowing about it. Imagine buying a brand new computer and doing some online shopping or banking without knowing that it’s recording everything you type and sending it back to the manufacturer. Well, some of you probably don’t have to imagine that happening to you.

I can’t think of a single legitimate reason for Samsung to be capturing that kind of data. What are they really using it for? How are they securing it? How long are they keeping it? What makes them think this is even remotely legal?

This is particularly annoying as I like a lot of things Samsung makes, the LCD monitors on my desk are from Samsung. I don’t own any computers made by them and I’ll definitely think twice before picking one up. The only question now is how long before the class action lawsuit is filed.

[Updated 9:35AM 3/31/11] Samsung didn’t waste anytime looking into this and it appears that they may be the victim of a false positive according to this article at CrunchGear:

Word comes from Samsung’s official Korean language blog, Samsung Tomorrow, that the company was able to recreate the incident and a keylogger is not on a factory-fresh notebook. The company states that the VIPRE security software used by the original whistleblower mistakenly reports the Microsoft Slovene language folder (c:\windows\SL) as the commercially available Starlogger keylogger. See the screenshot above for the proof — or if you have a R525 or R540 notebook, recreate the test yourself. As it sits right now though, it seems Samsung didn’t follow Acer’s lead and ship infected notebooks.

This is good news indeed. I can imagine Samsung wanted to nip this potential PR disaster in the bud as quickly as possible.