Lenovo Shipping PCs with Adware Pre-Installed

Lenovo has become one of the most popular PC manufacturers in recent years due mostly to competitive pricing and an assortment of products catering to every customer need. Unfortunately, security experts have recently uncovered that Lenovo is also shipping these popular computers with invasive marketing software that borders on malware. This malware could easily open up doors for cybercriminals and hackers – let alone the fact that Lenovo doesn’t seem to have a problem spying on its very own customers to make a few extra bucks. This software, known as Superfish Malware, is designed to analyze users’ Internet habits and inject third-party advertising in popular web browsers including Google Chrome and Internet Explorer with the PC user’s permission. Superfish Malware has been on all new consumer-grade Lenovo laptops sold prior to January 2015. The malware is immediately activated when the machine is turned on for first-use and Lenovo customers are using the malware without knowing the dangers inherent to malware like Superfish.

What makes this malware especially dangerous is that it mimics a “Man in the Middle” (MitM) attack. In other words, the software impersonates the security certificates of encrypted websites in an effort to monitor users’ behavior even when navigating websites protected by SSL encryption. The problem with a MitM attack of any type if that it opens the door for hackers to compromise the sensitive information of any customer using Superfish – whether knowingly or unknowingly.

Passwords, banking details, and other personal information can easily be intercepted by cybercriminals because the information isn’t actually protected by the SSL certificate the session purports to be operating within.

Essentially, all a hacker would need to bypass the PCs built-in web encryption is the password that unlocks the single password-protected certificate authority. Robert David Graham, a security researcher for Errata Security, cracked and published this password which he was easily able to locate with the Superfish malware’s active memory. Any hacker or cybercriminal could do the same thing and begin intercepting the transmissions from any victim using a Lenovo PC with Superfish installed. In response to news of this dangerous security breach, Lenovo has since removed Superfish from new PCs. In an official statement, Lenovo said “"We have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues.

Lenovo Shipping PCs with Adware Pre-Installed

As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues." Regardless of how Lenovo attempts to spin this software as a way to enhance the user experience, security experts agree that the Superfish malware is a blatant man-in-the-middle attack not unlike similar attacks performed by hackers in coffee shops and other public Wi-Fi hotspots around the world.

If you currently use a Lenovo PC manufactured before January 2015, it is recommended that you remove this malware from your system as soon as possible.

This can be accomplished by opening the Microsoft Management Console (mmc.exe) and following the steps below:
1. Click File and Click Add/Remove
2. Choose Certificates and Click Add
3. Choose Computer Account and Click Next
4. Choose Local Computer and Click Finish
5. Click OK
6. Go to Trusted Root Certification Authorities Certificates
7. Locate the certificate issued to Superfish and delete it

It is this simple to remove this potentially dangerous piece of malware permanently and it is recommended that all Lenovo PC users disable Superfish as soon as possible.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal