Kaspersky defends force-replacing its security software without users' explicit consent
Earlier this week, some U.S. customers of Kaspersky’s antivirus were surprised to find out that the Russian-made software disappeared from their computers and had been replaced by a new antivirus called UltraAV, owned by American company Pango.
The move was the result of the U.S. government’s unprecedented ban on Kaspersky, which prohibited the sale of any Kaspersky software in the country. The ban on selling the company’s software became effective on July 20, while the ban on providing subsequent security updates to existing customers will become effective on September 29.
A spokesperson for Pango, the cybersecurity company that owns UltraAV, defended the automatic migration, which in practice meant roughly a million U.S. Kaspersky customers became UltraAV customers overnight. At a technical level, that meant Kaspersky uninstalled itself from customers' machines, and UltraAV installed itself, without any user interaction.
That lack of user interaction — or request for consent — is what confused and concerned some former Kaspersky customers.
“Basically, on my computers, Kaspersky pushed an uninstall of the Kaspersky products and pushed an automatic install of UltraAV & UltraVPN onto my computers," Avi Fleischer, a former customer of Kaspersky, had previously told TechCrunch. "They should’ve given me the option to accept UltraAV or not."
“They should NEVER push software onto someone’s computer without explicit permission,” said Fleischer.
Kaspersky’s spokesperson Francesco Tius told TechCrunch that “the migration process started at the beginning of September, of which all Kaspersky customers in the U.S. eligible for the transition were informed in an email communication.” Tius said that for Windows users, the transition “was done automatically.”
Tius said in the email that this was done to ensure Windows users "would not experience a gap in protection upon Kaspersky’s exit from the market.” (Windows 10 and 11 have their own baked-in antivirus made by Microsoft, called Defender. If a Windows user has a third-party antivirus, and then uninstalls it, Defender switches back on automatically, according to Microsoft.)
Users on Mac, Android, and iOS devices, on the other hand, “needed to manually install and activate the service following the instructions on the email,” said Tius.
Tius blamed the fact that some users were unaware of the transition on them not having "an email registered with Kaspersky.”
“These users were informed of the transition via in-app message only,” said Tius, who also pointed to an FAQ posted on UltraAV’s website. Neither the in-app message, nor UltraAV's website, explicitly say that Windows users would experience a software uninstalling itself and installing a completely different software. On top of that, UltraAV is a brand-new antivirus with no previous track record or published security audit, adding to the concerns of customers.
Pango spokesperson Sydney Harwood made largely the same points as Tius in a series of emails with TechCrunch.
Rob Joyce, the former director of cybersecurity at the National Security Agency, wrote in a series of posts on X that this automatic migration showed why granting Kaspersky software trusted access to anyone's computer was a "huge risk."
“They had total control of your machine,” wrote Joyce.
Martijn Grooten, a cybersecurity consultant and the former editor of Virus Bulletin, a publication covering the antivirus industry since 1989, told TechCrunch that “ultimately, if you install software, it can update itself to become something entirely new, change branding and/or change ownership.”
“That's all a risk you implicitly accept and all of it happens regularly,” he said, adding that he does not remember another time an antivirus did the same thing. “They should have probably informed people better, given that security software depends on trust, but even in that case, some people would have ignored the warning.”