Lenovo Caught Pre-Installing Malware on its Computers Again

Earlier this year, Lenovo was caught pre-installing adware on its computers, eliciting a vociferous backlash from users. The Superfish scandal, however, appears merely to have been its test-run in preparation for its latest ruse: Lenovo ThinkPads, ThinkCentres, and ThinkStations have been found containing user-tracking spyware that is scheduled to run every day and sends usage data to an analytics company.

The spyware was discovered by independent computer security consultant Michael Horowitz while using the free software TaskSchedulerView to persue his ThinkPad. He says:

The task that gave me pause is called “Lenovo Customer Feedback Program 64”. It was running daily. According to the description in the task scheduler: “This task uploads Customer Feedback Program data to Lenovo”.

I have setup my fair share of new Lenovo machines and can’t recall ever being asked about a Customer Feedback program.

The program that runs daily is Lenovo.TVT.CustomerFeedback.Agent.exe and it resides in folder C:\Program Files (x86)\Lenovo\Customer Feedback Program.

Other files in this folder are Lenovo.TVT.CustomerFeedback.Agent.exe.config, Lenovo.TVT.CustomerFeedback.InnovApps.dll and Lenovo.TVT.CustomerFeedback.OmnitureSiteCatalyst.dll.

According to Wikipedia, Omniture is an online marketing and web analytics firm, and SiteCatalyst (since renamed) is their software as a service application for client-side web analytics.

So, while there may not be extra ads on ThinkPads, there is some monitoring and tracking.

On the one hand this is surprising because the machines were refurbished and sold by IBM. On the other hand, considering Lenovo’s recent history, it’s not surprising at all.

Lenovo’s right to use this malware to gather information on its user is buried deep within its Licence Agreement – an .rtf file stored in the obscure folder C:\Program Files (x86)\Lenovo\MetricCollectionSDK\licenses – so is doing nothing illegal, but its behaviour is at the very least unethical and risks violating user trust and damaging its brand.

In lieu of these revelations, Lenovo has issued an official statement regarding data collection which reads:

“Statistical data collection by Lenovo has been the subject of press reports and social media discussion. Similar to other companies in the PC, smartphone and tablet industries and as disclosed in the End User License Agreement, Lenovo products collect non-personally identifiable statistical usage data that is not tracked to any single customer or device. This data helps Lenovo improve both existing and future products.”

“In preparation for Windows 10, all programs preloaded on Lenovo PCs were reviewed by Lenovo and independent 3rd parties from privacy and technical perspectives and are listed in the “programs directory” in Windows, under “settings”. Customers who do not want to participate, can remove the program by going into the “Control Panel”, opening “Add / Remove Programs”, clicking on the program and selecting “uninstall””

Thank you Boing Boing for providing us with this information.