Lenovo Accused of Pre-Loading Malware

Scott Calonico

bloatware.jpgIf you work in the world of IT, you are no doubt familiar with the term “bloatware.”

Preinstalled bloatware is irritatingly endemic on new PCs and laptops. It can include everything from antivirus software trials to annoying “support adviser” tools and little-known alternative PDF creation utilities.

Sometimes new computers come with so much of this software preinstalled that its presence is enough to slow low-end machines down to a crawl. A common task for IT consultants is to remove all this rubbish when a user or customer buys a new machine, so that it runs better. Furthermore, the same bloatware issue often applies to printers, where the manufacturers always seem keen to force their own unnecessary choice of software onto their users.

Sinister Bloatware

This bloatware we speak of is generally little more than an irritation, although it can sometimes prove awfully confusing for novice computer users.

However, PC manufacturer Lenovo has now found itself tied up in a bloatware scandal, relating to some pre-installed adware known as “Superfish.”

According to a BBC report, Superfish is a far from an innocuous little program. In fact, it’s said that it’s “widely regarded in the industry as a form of malware.”

Superfish is designed to “inject” adverts into browsers; it’s essentially just like the kind of adware that creates unwanted pop-ups based on intrusive collection of data.

“Man-in-the-Middle”

Even scarier is an accusation that Superfish can apparently issue its own digital certificates, allegedly with Lenovo’s say-so. A security consultant has described this practice as Lenovo “betraying their customers’ trust.” Frighteningly, it’s this kind of “man-in-the-middle” operation that many hackers use to breach systems or launch phishing attacks.

The Response

Lenovo has spoken to the BBC about this issue and said that it has removed Superfish from new PC installs since the start of this year. It has also “disabled existing Lenovo machines from activating Superfish.”

This is essentially meaningless for any unsuspecting Lenovo purchaser in the interim period, because the software will presumably have already been activated.

Lenovo seem to be trying to play down the seriousness of the issue, saying that the adware was only preinstalled on “select models” for a “short window” of time.

However, the simple fact is that Lenovo clearly won’t have included Superfish on its machines for altruistic reasons. As with any bloatware, there was surely some deal involved, just as manufacturers inevitably have certain incentives to promote some antivirus packages over others.

One thing is for sure: Lenovo have done themselves some severe reputational damage, with both “Lenovo” and “Superfish” trending on Twitter, and consumers publicly expressing their disgust and saying they will never buy from Lenovo again. One wonders if the money they probably made from installing Superfish was worth it…