More than 57,000 people installed the malicious backdoor on their ASUS computers after hackers attacked a server for the company's live software update tool, Kaspersky said in an article posted on its website on Monday.
"The trojanised utility was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, and that allowed it to stay undetected for a long time," the firm said.
"We are not able to calculate the total count of affected users based only on our data; however, we estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide," it added.
The Moscow-based firm said that its ongoing investigation found that hackers had deployed the same techniques against software from three other companies.
Kaspersky uncovered the ASUS attack, which it dubbed "ShadowHammer", in January after adding a new supply-chain detection technology to its scanning tool and is planning to release a full report on it next month.
The incident highlights the growing threat from so-called "supply-chain attacks" where malware is installed on systems during the manufacturing or assembling process or through later updates, analysts say.
ASUS, which makes computers, laptops, smartphones and other electronics, released a statement saying it had upgraded its software to "prevent any malicious manipulation in the form of software updates or other means".
"ASUS customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed." – Rappler.com