Samsung Notebooks Come with Key Logger Installed (Updated – False Positive)

Samsung is investigating the inclusion of key logger software on various Samsung Notebooks after Mohamed Hassan, an IT expert found the StarLogger key logging software on two different Samsung notebooks, purchased from two different locations. We have confirmed that the StarLogger is present on at least one other system which we have in for review.

UPDATE: Samsung has provided the following comment:

“Reports that a keylogger was installed in Samsung laptops are not true. Our findings indicate that the person mentioned in the article used a security program called VIPRE that mistook a folder created by Microsoft Live Application for a key logging software, during a virus scan.”

You can see the results of Samsung’s own test at the Samsung Korean Language blog, Samsung Tomorrow.

UPDATE 2: Sunbelt, makers of VIPRE and CounterSpy which identified the Slovenian language folder in Windows as a StarLogger Keylogger, has posted an update confirming the false positive.

“The detection was based off of a rarely-used and aggressive VIPRE detection method, using folder paths as a heuristic.  I want to emphasize “rarely”, as these types of detections are seldom used, and when they are, they are subject to an extensive peer review and QA process.  (It’s not common knowledge, but folder path detections are actually used by a good number of antimalware products, but are generally frowned upon as a folder that looks clearly like one for malware has the potential of generating just this kind of result — a false positive.)”

The false positive has been fixed in a new definition set.

Initial Reports

After purchasing a Samsung R525 in February, Hassan ran a security scan using commercially available software and discovered that the notebook had StarLogger installed. This software is designed to run undetected and record every keystroke typed, which can reveal documents, browsing habits and passwords.

After experiencing unrelated issues, Hassan returned the notebook and purchase a Samsung R540 from a different retailer and discovered another key logger. This led to the conclusion that Samsung was shipping notebooks with key logging software installed.

When Hassan called support, he was told by a supervisor that the software was knowingly installed to, “monitor the performance of the machine and to find out how it is being used.”

Our Tests Find StarLogger on Another Samsung Notebook

We have a new, Samsung RV511 notebook in for review and were surprised to find that while the pre installed tools did not warn us of any issues, Sunbelt CounterSpy, made by the same company that makes VIPRE was able to locate two instances of StarLogger on our freshly booted system. It is unlikely that we picked up the StarLogger software on our own as we had only completed the first run Windows actions, downloaded the Chrome Browser and logged into our email.

Additional Testing

Laptop Magazine and other source have tested systems including the Samsung Nc110 and the Samsung Series 9 notebooks with no trace of the key logger.

Samsung’s Response to Key Logger Allegations

A Samsung Spokesperson told Notebooks via email that, “Samsung takes Mr. Hassan’s claims very seriously. After learning of the original post this morning, we launched an internal investigation into this issue. We will provide further information as soon as it is available.”

How to Find and Remove StarLogger

You can check your own Samsung notebook using the free 30 day trial of Sunbelt CounterSpy or you can follow the directions from CNet to locate StarLogger on you system. If you look at the Windows Task Manager and see the process WinSLManager.exe or if you open up Regedit and find a registry entry like, HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionrunwinsl, you are likely infected. You can follow the directions at CNet to remove StarLogger, or rely on the antivirus software to remove the key logger.

History and Consequences

However this turns out we expect that Samsung will be in for some serious questions from many lawyers, including the FTC which took a lead in the Sony Rootkit fiasco where Sony was caught putting footings on CDs. We are waiting for an update from Samsung and will keep you updated.

Now, if you’ll excuse me, I need to change some passwords. If you have a Samsung notebook, run the above tests and let us know if you are infected and which model you have.

Related Posts