Lenovo to Pay $3.5m for Secretly Installing Adware in 750,000 Laptops

A few years back Lenovo Inc., a world famous and seemingly reliable laptop manufacturer firm headquartered in Beijing, found itself in hot waters due to the startling revelation that the company’s laptops had pre-installed adware called VisualDiscovery developed by Superfish.

The software was responsible for compromising security protections installed by the users on their laptops. It performed a man-in-the-middle attack on private and secure connections due to which attackers could gain free access to the system and spied on encrypted communications.

Related: Study Reveals Xiaomi, Huawei, Lenovo Phones Contain Malware By-default

Lenovo although released a tool for deleting the adware back in 2015 but the act was challenged by a 32-state coalition in the court in 2015. After the two-and-half years long battle in the court, Lenovo has finally given in and agreed to pay $3.5 million by signing an agreement with the Federal Trade Commission, Connecticut, and 31 other states. The company has pledged to change the way it sells devices too. The settlement agreement was announced on Tuesday.

The FTC issued the following statement to confirm the agreement:

“As part of the settlement with the FTC, Lenovo is prohibited from misrepresenting any features of software preloaded on laptops that will inject advertising into consumers’ internet browsing sessions or transmit sensitive consumer information to third parties.”

The FTC further explained the stipulations Lenovo would have to abide by:

“The company must also get consumers’ affirmative consent before pre-installing this type of software. In addition, the company is required for 20 years to implement a comprehensive software security program for most consumer software preloaded on its laptops. The security program will also be subject to third-party audits.”

Lenovo has maintained the stance that it doesn’t agree with the allegations and that it was unaware of the exploitation of the app by third parties. However, the company is paying the fine to close the case for good. Furthermore, the company claims that it had already stopped selling the software in 2015.

“While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-1/2 years. To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user’s communications,” read Lenovo’s official statement on the agreement.

In August 2014, Lenovo installed an adware called VisualDiscovery on thousands of laptops to automatically deliver pop-up ads. However, the software blocked the browsers from notifying or warning the user about not visiting the malicious websites the links of which the pre-installed adware posted. The adware could steal valuable information such as Social Security Number, private credentials, and similar sensitive data. This, claims the FTC, was a clear proof of the way Lenovo compromised the privacy of consumers.

The preloaded software “could access consumers’ sensitive information without adequate notice or consent to its use. This conduct is even more serious because the software compromised online security protections that consumers rely on,” stated Maureen Ohlhausen, the acting chairman of FTC. The FTC also noted that the data stolen by VisualDiscovery was not received by or sent to Superfish, the Palo Alto, California-based firm.

Ohlhausen stated that the 750,000 Lenovo laptops that were sold between August 2014 and June 2015 were equipped with VisualDiscovery. The list of affected Lenovo computers includes the following brands that were released during the above mentioned period:

E-Series, Edge Series, Flex-Series, G-Series, Miix Series, S-Series, U-Series, Y-Series, Yoga Series, and Z-Series.

Lenovo to Pay $3.5m for Secretly Installing Adware in 750,000 Laptops
Full list of infected devices – Credit: Inverse

It is believed that young and low-income group of consumers were the primary targets in this scheme. 

The software was tracking everything on the computer from login credentials to personal data, medical information, emails, bank account information and other sensitive data. So the website that was apparently selling furniture was collecting private and financial data. That’s because Superfish was a third party vendor, states Ohlhausen, and it is hard to believe that all this while Lenovo was unaware of the data capturing. Nonetheless, she urges computer manufacturers to stay cautious while choosing contractors as they might have their own incentives for the partnering.

Related: Pre-installed Trojan in Cheap Android Devices Steal Data, Intercept Chats

“Everybody in the chain needs to pay attention. This happened to be one of the world’s largest computer manufacturers, and I think it sends an important message: If you are going to install these kinds of software, you need to pay attention to what it’s collecting, what you’re telling consumers, and the kinds of risks that it might be creating,” says Ohlhausen.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.