Samsung Laptop Spyware Confirmed As False Alarm

Samsung “keylogger” spyware was a Windows Live Slovenian language directory detected as a false positive

Samsung is not installing a StarLogger keylogger on brand-new laptops, after all.

Despite earlier reports, it appears that the antivirus software that Toronto-based security expert Mohamed Hassan used to scan his Samsung laptops was at fault for finding a suspected keylogger on two different Samsung models.

“Our findings indicate that the person mentioned in the article used a security program called Vipre that mistook a folder created by Microsoft Live Application for a key logging software, during a virus scan,” a Samsung spokesperson told eWEEK on March 31. Alex Eckelberry, general manager of GFI Security, confirmed the problem with the company’s antivirus product.

“Keylogger” Was Windows Live Content

In a detailed report, Hassan, who identifies himself as a senior security consultant at Netsec Consulting, described running an antivirus on a Samsung laptop and learning there was a keylogger installed in the Windows directory that the security product claimed was StarLogger. If Hassan had glanced at the folder’s contents, he would have learned that it was actually a Slovenian language directory for Windows Live, according to Eckelberry.

Eckelberry explained why Vipre had misidentified the benign language files so badly in the company’s GFILabs blog. The false-positive occurred because Vipre uses folder paths as a heuristic or pattern analysis method, which is a “rarely used and aggressive Vipre detection method”, he said. Vipre uses a combination of simple signature-based scanning, heuristic and behavioural analysis techniques to detect malware.

GFI reviews all first detections using the folder paths to prevent false-positives. At the time the StarLogger entry was added to Vipre, this was reviewed and approved, as the StarLogger keylogger used that directory path. Testing against a broad range of Windows platforms and foreign language packs confirmed this method was valid.

However, “several years after the original detection was written”, Windows Live started using that directory to install Slovenian language files, Eckelberry wrote. Samsung started pre-installing Windows Live, including all the languages. “And there you have the problem we’re having today,” he concluded.

While rarely used, using folder path names to identify malware is actually used “by a good number of antimalware products”, Eckelberry said. As was proven in this case, a folder that looks clearly like one used for malware can actually be a legitimate directory, he said.

“We apologise to the author Mohamed Hassan, to Samsung, as well as any users who may have been affected by this false positive,” Eckelberry said.

F-Secure Confirms Samsung’s Claim

Security firm F-Secure had researchers go to a local IT store to test Samsung laptops for sale and found no keyloggers by default.

“The findings are false-positive proof since I have used the tool that discovered it for six years now and I am yet to see it misidentify an item throughout the years,” Hassan had originally written in an article for the Security Strategies Alert newsletter run by Mich Kabay, CTO of Adaptive Cyber Security Instruments and associate professor of information assurance in the School of Business and Management at Norwich University in Vermont, USA.

Kabay said Samsung was sending another laptop to the university to prove its innocence.

It is unclear why the Samsung support supervisor had told Hassan that the software was there to monitor how users were using the laptop when Hassan reported the incidents in March. Samsung has reportedly launched an investigation into the whole incident.