(CNNMoney) — Computer maker Lenovo has been shipping laptops prepackaged with malware that makes you more vulnerable to hackers — all for the sake of serving you advertisements.
Made by a company called “Superfish,” the software is essentially an Internet browser add-on that injects ads onto websites you visit.
Besides taking up space in your Lenovo computer, the add-on is also dangerous because it undermines basic computer security protocols.
That’s because it tampers with a widely-used system of official website certificates. That makes it hard for your computer to recognize a fake bank website, for instance.
It’s a nasty trick — the same one that the in-flight Wi-Fi service Gogo was caught doing last month.
“This is exactly what bad guys do with trojans and other malicious software to trick users to access fake sites to surveil/monitor private communications,” said Kevin Bocek, an executive at cybersecurity company Venafi.
Customers started spotting this on their Lenovo computers in mid-2014.
After facing a fierce backlash by customers and computer security experts this week, Lenovo on Thursday acknowledged as much.
“User feedback was not positive,” so Lenovo stopped preloading the software on new computers in January, a company spokesman said. Lenovo also promised it “will not preload this software in the future” and said it disabled the feature on its servers, which essentially kills the program on everyone’s computer.
The company initially claimed it only included Superfish on “some consumer notebook products shipped in a short window between October and December.” When CNNMoney noted that customers started complaining about this feature earlier than that, Lenovo acknowledged that factory installations of Superfish started back in September.
Lenovo lists 43 different models that were affected, including several of its Flex, E-, G-, S-, U-, Y- and Z-series laptops and several Miix and Yoga tablets.
These models include:
- E-Series: E10-30
- Flex-Series: Flex2 14, Flex2 15, Flex2 14D, Flex2 15D, Flex2 Pro, Flex 10
- G-Series: G410, G510, G710, G40-30, G40-45, G40-70, G40-80, G50-50, G50-45, G50-70, G50-80, G50-80Touch
- Edge Series: Edge 15
- Miix-Series: Miix2 – 8, Miix2 – 10, Miix2 – 11, Miix 3 – 1030
- S-Series: S310, S410, S415, S415 Touch, S435, S20-30, S20-30 Touch, S40-70
- U-Series: U330P, U430P, U330 Touch, U430 Touch, U540 Touch
- Y-Series: Y430P, Y40-70, Y40-80, Y50-70, Y70-70
- Yoga-Series: Yoga2-11, Yoga2-13, Yoga2Pro-13, Yoga3 Pro
- Z-Series: Z40-70, Z40-75, Z50-70, Z50-75, Z70-80
So, what was the point of the “Superfish Visual Discovery” software? It makes it easier to shop for deals. The program analyzes images you see on the Web and presents similar products that might have lower prices.
Lenovo stressed that the program did not “monitor user behavior” or record user information.
“The relationship with Superfish is not financially significant; our goal was to enhance the experience for users,” the company said in a statement. “We recognize that the software did not meet that goal and have acted quickly and decisively.”
But computer experts say the damage is done.
“They have not only betrayed their customers’ trust, but also put them at increased risk,” said Ken Westin, a security analyst with software maker Tripwire.
To be completely safe, you might have to reinstall a fresh new operating system. Lenovo customers have already paid for Windows in their laptops, so they will have to shell out another $120 for a copy of Windows 8.1.
And if you’re unsure whether your laptop is infected with Superfish, the computer security experts at LastPass developed a tool (LastPass Superfish Checker) that tells you so.Online tools:
- Superfish uninstall instructions (Lenovo)
- LastPass Superfish Checker
- Cloudflare security engineer Filippo Valsorda’s tool