Google’s attempt to block infostealer malware grabbing data stored in its Chrome browser seems to have been short-lived, with multiple variants claiming to have already successfully bypassed it.
In late July 2024, Google released Chrome 127, which introduced App-Bound Encryption, a feature which looked to ensure sensitive data stored by websites or web apps was only accessible to a specific app on a device. It works by encrypting data in such a way that only the app that created it can decrypt it, and was advertised as particularly useful for protecting information like authentication tokens or personal data.
Now, mere months after it was introduced, the protection mechanism has already been cracked by some of the most popular infostealers out there, BleepingComputer reports, claiming the likes of MeduzaStealer, Whitesnake, Lumma Stealer, Lumar, Vidar, and StealC have all introduced some form of bypass.
Prioritizing impact
Some of the upgrades are also confirmed to be working with Chrome 129, the newest version of the browser available at press time. TechRadar Pro has reached out to Google for comment, and will update our article if we hear back.
“Added a new method of collecting Chrome cookies,” Lumma’s developers allegedly told its customers recently. “The new method does not require admin rights and/or restart, which simplifies the crypt build and reduces the chances of detection, and thus increase the knock rate.”
Exfiltrating information from browsers is a key feature for most prominent infostealers out there. Many people save things like passwords, or payment data, inside their browsers for convenience and quick access. Many also use cryptocurrency wallet add-ons for their browsers, as well. By stealing cookies, crooks are even able to log into services protected by multi-factor authentication (MFA). All of this makes browsers one of the most important targets during data theft.