After further scrutiny, tech savvy consumers saw that an application called SuperFish was bundled with preinstalled software, presumably to aid in narrowing search results to make shopping easier. SuperFish, which was knowingly included by Lenovo on their new machines, turned out to be a security and PR disaster amid findings of vulnerability to man-in-the-middle attacks, certificate authority spoofing, and privacy violations.
This arguably turned SuperFish into pre installed malware—a far cry from its adware roots.
Pre installed software, in general, is lodged on a device before it reaches the hands of an end user. Sometimes it is installed at the factory level, such as with the Lenovo and Superfish example. But there are also scenarios in which these products are placed somewhere along the supply chain before reaching its marketplace. Pre installed malware can take several forms, but is most likely channeled through Adware or some other vehicle which directly affects a computer’s root system—it’s top-most level of operation hierarchy.
In our example above, the SuperFish adware was granted privileges to modify security certificate authorities (CA). This was intended to work as a “go-between” in search engine results, enabling Superfish to promote certain products. What it actually did, though, was expose the certificate authority’s private key (which was the same across all Lenovo laptops), making it possible to access a user’s online traffic and intercept communication by pretending to be legit. Furthermore, fake CAs could come from phishing websites masquerading as banking, employment or retail sites, leaving consumers vulnerable to password and identity theft, and potentially, unwanted access to their financial accounts.
Pre installed malware is nothing new. Back in 2001, the Japan released Antelier Marie for Sega Dreamcast was distributed with an infected CD-ROM. Whenever players installed a custom screensaver, they were infected with the Kriz virus, which would lay dormant until Christmas day, thereby invoking and causing complete system destruction. In this particular case, it is suspected that the manufacturing process itself was compromised.
More recently, pre installed malware made headlines when almost forty (40) different models of Android smart phones were reportedly infected (somewhere in the supply chain) with adware or a rootkit. Most of these models were intended to be used as “work phones,” distributed by businesses and organizations for employee use. The adware, as expected, would display revenue-generating advertisements. But the rootkit also functioned as intended. It was virtually undetectable and opened the phones up to spyware, a botnet, and even some ransomware on some devices. The latter, of course, would encrypt all information on a device, offering a solution only after a fee was paid to the hacker.
The removal of pre installed malware (especially those of the aforementioned magnitude) often requires more than just a factory reset. A full sweep of the system and re-installation of software and applications is typically warranted. Given the widespread dependence on software technology in our modern day society, the discovery of pre installed software with malicious intent remains a real security concern.