Lenovo has been caught installing adware onto its computers [Updated]

Having bloatware installed on your devices is a sad fact of life these days, but Lenovo has just been caught installing something much, much worse. The Chinese technology manufacturer has been caught installing adware onto its own products, and then selling them on to consumers.

Lenovo has been installing a piece of software called Superfish, a programme that injects adverts into users’ browsers without them knowing about it. Lenovo claims that Superfish is perfectly innocent, and that it’s designed to help people find the best deals and prices when they’re shopping online. That’s not entirely true.

Users who are used to ads probably won’t even notice that Superfish is doing its thing, but others have started reporting that Lenovo computers are throwing up sponsored ads as soon as they come out of the box. In some cases it’s even preventing some websites from rendering properly. Sadly, these minor gripes are nothing compared to what else Superfish is doing.

The main issue for concern is that Superfish has been officially branded as malware due to the fact that it installs its own security certificate authority onto users’ machines. This means that the software is capable of eavesdropping on secure connections, like online banking or other activities that you’d rather were kept private. This is actually a technique used by hackers known as the Man in the Middle attack (MITM), and it makes Superfish more than just a minor annoyance — it makes it a full blown security liability.

Web browsers like Chrome or Internet Explorer are at risk, but apparently Superfish doesn’t affect Firefox because the browser has its own certificate authority store.

If you do own a Lenovo machine I suggest that you remove Superfish as soon as possible. A number of online guides will walk you through the uninstall manually, or you can choose an easier option and use anti-malware software like Malwarebytes.

Mark Hopkins, Lenovo’s community administrator, said this:

“We have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues. As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues.”

He hasn’t said anything about ditching Superfish completely. It make you wonder what Lenovo actually had planned for the software. Innocent shopping tool? Or something else entirely?

Update: Lenovo has made an official statement regarding Superfish, saying that the inclusion of the software was designed to enhance the customer’s experience and it does not believe there is any evidence that substantiates security concerns. It goes onto claim that Superfish does not monitor user behaviour, each session is independent and anonymous, and people were given a choice on whether or not they actually used it.

Furthermore Lenovo says that the software was only installed on laptops between September and December of last year, and due to negative feedback it apparently stopped preloading the software last month. This also meant disabling the servers, deactivating all Superfish products, and promising not to preload the software in future.

You can read the full statement on Lenovo’s website.


Tom Pritchard