Is Samsung Installing Keyloggers on Laptops?

UPDATE: It has now been confirmed that Samsung laptops do not contain keyloggers or spyware.

UPDATE: Samsung has issued a statement saying that the finding is false. The statement says the software used to detect the keylogger, VIPRE, can be fooled by Microsoft’s Live Application multi-language support folder. This has been confirmed at F-Secure and two other publications, here and here.

UPDATE: GFI Labs, the maker of VIPRE, has issued an explanation and apology for generating the false positives that led to these articles: “We apologize to the author Mohamed Hassan, to Samsung, as well as any users who may have been affected by this false positive.”

UPDATE: A Samsung executive is said to have personally flown from Newark, N.J., to Burlington, Vt., carrying two unopened boxes containing new R540 laptop computers. These units were immediately put under seal and details recorded for chain-of-custody records. At 17:40, Dr Peter Stephenson, Director of the Norwich University Center for Advanced Computing and Digital Forensics, began the detailed forensic analysis of the disks. The results are expected by Monday.

Original post:
There seems to be a  claim (false, as it turns out) that Samsung installs a commercial keylogger called StarLogger on its laptops before shipping them out, apparently to “monitor the performance of the machine and to find out how it is being used.”

This was reported by Mohamed Hassan, MSIA, CISSP, CISA who bought two different models of Samsung’s laptop – the R525 and R540 models. If the report is true, it will be like a rehash of the Sony Rootkit snafu a couple of years back.

According to Mohammed:

This key logger is completely undetectable and starts up whenever your computer starts up and can capture “everything being typed: emails, messages, documents, web pages, usernames, passwords, and more.[ StarLogger] can email its results at specified intervals to any email address undetected so you don’t even have to be at the computer… The screen capture images can also be attached automatically to the emails as well as automatically deleted.

Keyloggers are considered spyware that can track all the keyboard activities on a computer and has the ability to send the collected information to a third party for analysis or use. What is not known at this time is how many models in Samsung’s lineup of laptops contain the alleged malware other than the R525 and R540-models.

It is not alarmist in this day and age to encourage users to check their laptops, especially those with the Samsung models that are supposedly affected. You can look for the “c:windowsSL” folder and if you have that folder, then StarLogger is probably installed.

If it is true, one wonders how long it has been going on. Does it make sense for Samsung to want to “monitor the performance of the machine and to find out how it is being used.”? As usual, corporate users are not the concern here, but home and small business users who just boot up their new laptop and use away without a second thought to out-of-the-box infection with a keylogger.

It will be interesting to hear the official explanations of this “uncomfortable” situation by Samsung if the report turns out to be true. I am always cautious about these reports and allegations because the reputation of an organization is at stake. Is it possible that the software was installed along with the detection/scanning tool (in this case VIPRE)? The author claims it a commercially licensed version though.

What other devices could this affect if the allegation turns out to be true? A lot of people have Samsung printers, cell phones, tablets, mp3 players etc. Should we be worried? I guess we will wait and see. Scary all the same.