Google Chrome, known for its robust security features, is now facing new threats from Infostealer malware developers. These malicious actors claim to have found ways to bypass Chrome’s latest security feature, App-Bound Encryption, which was introduced in Chrome version 127. The feature, designed to protect sensitive user data such as cookies and passwords, encrypts information using a Windows service with system privileges.
Infostealer malware bypasses Chrome defenses
Infostealer malware creators, notorious for targeting browser-stored data, are rapidly evolving. Several developers recently announced that they have successfully bypassed Chrome’s new encryption system. Among the affected tools are MeduzaStealer, WhiteSnake, Lumma Stealer, and Vidar Stealer. These malware programs are allegedly capable of stealing cookies and other sensitive data from Chrome without needing system-level access.
Security researchers g0njxa and RussianPanda9xx confirmed that at least some of these claims appear legitimate. For example, g0njxa verified that the latest version of Lumma Stealer and WhiteSnake can bypass the encryption feature in Chrome 129, the browser’s most recent version. The researchers conducted tests on a Windows 10 Pro system in a sandbox environment to analyze the malware’s behavior.
Researcher g0njxa tested the Lumma Stealer variant in a controlled environment and confirmed that it bypassed the encryption feature in Chrome 129. This poses a serious threat. Chrome’s encryption was supposed to shield user credentials, even from malware running on the same system.
A post by RussianPanda9xx revealed that MeduzaStealer launched a test version claiming to bypass Chrome 127’s encryption. Other tools like Lumma Stealer have also followed suit, with some malware developers stating that their updated versions can now extract cookies from Chrome 129, the latest browser version.
The bypass technique used by Infostealer malware involves manipulating Chrome’s security without triggering system warnings. Previously, malware required administrative privileges or code injection to steal data. These actions often resulted in alerts from antivirus software. However, recent advancements by malware developers, such as those behind Lumma Stealer, have eliminated the need for admin privileges. This change reduces the risk of detection, making the malware more dangerous.
Ongoing threat to Chrome users
While Google’s App-Bound Encryption was intended to prevent Infostealer malware from accessing sensitive data, hackers have quickly adapted. Malware developers claim to have cracked the encryption in a matter of minutes. The details of how they bypass the encryption remain undisclosed, but this represents a significant challenge for Google’s security team.
Infostealer malware Chrome defenses are now being tested on a broader scale, as more malware developers implement similar bypass methods. Tools like Vidar Stealer and StealC have also reportedly integrated bypasses within the last week, continuing to pose risks to users’ online security in the tech world.
