Google’s attempt to block infostealer malware that steals data stored in the Chrome browser appears to have been short-lived, with multiple variants already claiming to have successfully evaded the malware.
In late July 2024, Google released Chrome 127, which introduced App-Bound Encryption, a feature intended to ensure that sensitive data stored by websites or web apps could only be accessed by a specific app on a device. It works by encrypting data so that only the app that created it can decrypt it, and was advertised as being particularly useful for protecting information like authentication tokens or personal data.
Now, just months after its introduction, the protection mechanism has already been cracked by some of the most popular infostealers out there, BleepingComputer reports claiming that MeduzaStealer, Whitesnake, Lumma Stealer, Lumar, Vidar, and StealC have all introduced some form of bypass.
Prioritizing impact
Some upgrades also appear to work with Chrome 129, the latest version of the browser available at the time of publication. Ny Breaking has contacted Google for comment and will update this article if we hear back.
“Added a new method to collect Chrome cookies,” Lumma’s developers recently told their customers. “The new method does not require admin rights and/or reboots, which simplifies crypt building and reduces the chance of detection, thus increasing the knock rate.”
Exfiltrating information from browsers is a key function for most of the prominent infostealers out there. Many people store things like passwords or payment details in their browsers for convenience and quick access. Many also use cryptocurrency wallet add-ons for their browsers. By stealing cookies, criminals can even log into services protected by multi-factor authentication (MFA). All of this makes browsers one of the top targets for data theft.