The audio driver installed on some HP laptops includes a feature that could best be described as a keylogger, which records all the user’s keystrokes and saves the information to a local file, accessible to anyone or any third-party software or malware that knows where to look.
Swiss cyber-security firm modzero discovered the keylogger on April 28 and made its findings public today.
Keylogger found in preinstalled audio driver
According to researchers, the keylogger feature was discovered in the Conexant HD Audio Driver Package version 126.96.36.199 and earlier.
This is an audio driver that is preinstalled on HP laptops. One of the files of this audio driver is MicTray64.exe (C:\windows\system32\mictray64.exe).
This file is registered to start via a Scheduled Task every time the user logs into his computer. According to modzero researchers, the file “monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys.”
This behavior, by itself, is not a problem, as many other apps work this way. The problem is that this file writes all keystrokes to a local file at:
Audio driver also exposes keystrokes in real-time via local API
If the file doesn’t exist or a registry key containing this file’s path does not exist or was corrupted, the audio driver will pass all keystrokes to a local API, named the OutputDebugString API.