No, Samsung is not shipping laptops with keylogger/spy software...

Filed Under: Malware, SophosLabs

Yesterday, we wrote about the reported keylogger thought to have been installed on Samsung laptops. Since then, as noted in the updates made to the article, the issue has been explained.

The whole thing arose because of a false positive from a competitor's scanner. More specifically, as revealed by Samsung themselves, the fact that a directory named used in a Slovene flavour of Windows happens to match that of a commercial keylogger (StarLogger).

competitor false-positive

The industry is well aware of the problems caused by false positives. for administrators, they can be almost as costly as a real infection itself. As this case illustrates, with rapid dissemination of "information" through blogs and social networks nowadays, a false positive can quickly snowball into a PR incident for the affected party.

Mea culpa.

, ,

You might like

9 Responses to No, Samsung is not shipping laptops with keylogger/spy software...

  1. Bjørn Froberg · 1653 days ago

    I believe that should read "Mea Maxima Culpa".

    I'm surprised that this has been talked about so much on twitter and blogs all over the web by so many security vendors.

    It seems that someone at some stage entirely neglected to do basic fact-checking.

  2. Cliff · 1653 days ago

    I sent the original tip into Sophos (which I picked up from the ThinkGeek Facebook page). I knew you guys would get to the bottom of it. I'm glad I started following you!

  3. Richard Wall · 1653 days ago

    This is far more likely. Looking at several news sites though allot of news posts are circulating that Samsung have done this and apparently admitted to it.

    This is going to cause allot of commercial damage for them. Surely Samsung should have picked this up themselves during testing though.

  4. Fionacat · 1653 days ago

    I'm slightly concerned however that it picked it up as a possible threat when it was just a folder, surely it should only be reporting back to you that there's an infection if there's that folder (which keylogger/virus/malware uses) and some actual content like an executable or script file.

    The mere presence of the directory is a terrible way to possibly identify things >.>

  5. Good update, but what I'm still wondering is why the Samsung tech support confirmed that they have monitoring software installed then. So, if there isn't a keylogger installed, what's installed instead?

    • jackreporter · 1652 days ago

      Samsung didn't confirm anything. All we know is that the original author paraphrased something he heard in a conversation with someone who probably doesn't speak English as their first language. Given that everything else in the article has turned out to be wrong, I'm not putting a lot of weight in the author's ability to understand a conversation, especially when he's clearly got an agenda.

      Most likely, the tech support person assumed he was talking about common-or-garden system health monitoring tools and said yeah, that's preinstalled to monitor how you use your computer and optimize it. Hassan did say that he had to press the issue before getting an answer, and that they told him MS had installed the software at first. He heard what he wanted to hear.

  6. BrianR · 1653 days ago

    Sophos' handling of this is in marked contrast to Network World's...

    (1) In the original article's lead paragraph alone, you repeatedly indicate the lack of certainty ("..may have made... If this story turns out to be true"). In Mr. Hassan's article the only lack of certainty seems to be about whether the keylogger is illegal.
    (2) You are now clear that this is a false positive. Network World will only go as far as "likely" (oh, and "Samsung continues its investigation").
    (3) You apologised for your article. Network World appears to solely blame Vipre and the poor sod on Samsung's Help Desk (who was clearly having a completely different discussion to Mr. Hassan's).
    (4) Finally, both Sophos and Network World inserted updates in front of their articles. But Sophos took the further step of crossing out the article. I love this - you aren't hiding it but you're making it absolutely clear that it's wrong.
    Network World? Well, right now its home page show its most popular article as "Samsung installs keylogger on its laptop computers".

    Well done and thank you, Sophos.

  7. TimB · 1653 days ago

    Im a little confused as to how a pattern that simply matches a folder name could pass for muster as a valid detection. From the little experience I have had in the Anti-Vir industry, patterns are alot more targeted then that for exactly this reason.

  8. André O. Brown · 1652 days ago

    So what of the claim that a Samsung supervisor admitted to the installation of software for "market research"? I can understand the false positive, but what about that admission? Is there something still lurking there, or was that supervisor misquoted or grossly mistaken?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.