Over two dozen models HP laptops and tablets being sold in the market have been found to covertly log every keystroke a user makes, according to an advisory published by Modzero, a Switzerland-based security consulting firm. The keylogger, which is included in an audio device driver developed by Conexant for HP devices, stores the key presses in an unencrypted file on the hard drive.
Researchers have found that one of the device driver components is MicTray64.exe, an executable file that allows the driver to respond when a user presses special keys. The file then sends all keystrokes to a debugging interface or writes them to a log file available on the computer’s C drive.
“This type of debugging turns the audio driver effectively into keylogging spyware”, researchers wrote. “On the basis of meta-information of the files, this keylogger has already existed on HP computers since at least Christmas 2015”.
Conexant’s MicTray64.exe is installed with the Conexant audio driver package and registered as a Microsoft Scheduled Task to run after each user login. The program monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys. Monitoring of keystrokes is added by implementing a low-level keyboard input hook  function that is installed by calling SetwindowsHookEx().
Affected HP models included HP EliteBooks, HP ProBooks, HP ZBooks, and HP Elites. People can check to see if their HP computer is at risk by searching for the files C:\Windows\System32\MicTray.exe or C:\Windows\System32\MicTray64.exe.
To learn more about the technical details accompanying the advisory, click here.