Cybersecurity

Here's How Hackers Steal Google Passwords from Chrome Users

  • Reading time: 3 min
Recent research reveals a new StealC malware trick, trapping Chrome users in unescapable "kiosk mode" to steal Google account credentials.

Recent research reveals a new StealC malware trick, trapping Chrome users in unescapable “kiosk mode” to steal Google account credentials through frustration-driven password entry.

The campaign, which has been running since at least August, relies on opening the browser in full-screen mode in such a way that pressing the F11, and ESC keys will not allow an exit. After this, it will display to the user a fake Google login window in an attempt to make them enter an account login. If the user will have given the Google Account Passwords, then the malware intercepts them and forwards them to the attackers.

How the Kiosk Mode Attack Works

The behind-the-scenes method of this attack has been illustrated by researchers at Open Analysis Lab (OALabs).

First of all, it involves hackers infecting the computer of the victim with the Amadey hacking tool, which has been around for several years. That, in turn, installs StealC malware, which hijacks the browser and puts it into kiosk mode – a mode that’s supposed to be used on public access terminals or digital displays. In this mode, the user is not allowed to leave the screen or close the browser window.

“The modus operandi is based on the opening of the victim browser in kiosk mode and redirecting it to the login page of the attacked service, which usually is Google,” the researchers from OALabs explained.

The trapped user has only one option: to enter their Google credentials. Once the user does this, the malware StealC fetches the Google Passwords from the browser’s credential store and sends them to the attackers.

The malware, StealC, doesn’t do direct stealing, but instead leverages a so-called “credential flusher” which will force users into revealing their login credentials, enabling the attack to leverage several known elements in stitching together said attack.

“The victim is infected with Amadey, Amadey loads the StealC malware, then the credential flusher, which launches the browser in kiosk mode,” the researchers noted.

TrickMo Variant and Other Browser-Based Threats

Naturally, the list does not stop there.

Another malware variant, which the researchers have identified, is the new version of a known banking Trojan: TrickMo malware. As in the previous version, it was masquerading as an application for the Google Chrome browser on Android devices. What makes this variant different is that it ups the ante further than ever before with stealing 2FA code credentials.

Once installed, TrickMo disguises itself as an update from Google Play and guides the user to grant it various permissions. These permissions allow the malware to intercept SMS messages and steal Google Account Passwords using fake login screens. “This clever obfuscation strategy can result in an unzip operation overwriting these key files, which may hinder any subsequent analysis,” the researchers said, referring to the use of malformed Zip archive files to avoid detection.

To minimize the risks of becoming a target for such an attack, Chrome Users are advised by Google Passwords manager not to install applications from unofficial stores or side-load with third-party stores, keep systems and browsers updated.

Once a user is trapped inside kiosk mode, he may use the keyboard shortcut Alt + F4, Ctrl + Shift + Esc, or Win Key + R combination to quit it and kill the browser process. If these techniques are unsuccessful, a hard shutdown and boot up into Safe Mode is advised to eliminate the malware.

New Windows Vulnerabilities Bring More Risks

Chrome users are not the only ones at risk. The CISA recently added a new Microsoft Windows zero-day exploited and used vulnerability to its Known Exploitation Catalogue that was affecting the MSHTML browser engine used for backward compatibility.

The vulnerability of CVE-2024-43461 has been exploited by the group referred to as Void Banshee in delivering malware through components that are still embedded in the Windows systems for Internet Explorer. In light of these increasing threats, users may wonder: How safe is Google Password Manager? Given the evolving tactics of cybercriminals, relying on built-in browser password managers, like the one provided by Google, requires continuous vigilance and regular updates to mitigate risks.

Inside Telecom provides you with an extensive list of content covering all aspects of the tech industry. Keep an eye on our Cybersecurity sections to stay informed and up-to-date with our daily articles.

Tags: