Several infostealer malware variants have found ways to circumvent Google Chrome’s App-Bound Encryption feature. This security measure, introduced to safeguard sensitive data including cookies and saved passwords, was bypassed faster than anticipated by multiple threat actors.
Understanding App-Bound Encryption and Its Importance
App-Bound Encryption, launched with Chrome 127 in the summer of 2024, was designed to encrypt cookies and saved passwords using a Windows service operating with system privileges. The intent was to prevent malicious programs running with standard user privileges from accessing these encrypted secrets, theoretically requiring system-level access for any potential breach.
Rapid Adaptation by Malware Developers
Cybersecurity researchers g0njxa and RussianPanda9xx have reported that developers of multiple infostealer variants are already boasting about their ability to bypass this protection. Notable malware strains claiming this capability include:
- MeduzaStealer
- Whitesnake
- Lumma Stealer
- Lumar (PovertyStealer)
- Vidar Stealer
- StealC
These claims aren’t merely hollow boasts. Researcher g0njxa has verified that the latest iteration of Lumma can indeed circumvent the protection in Chrome 129, the browser’s most recent version at the time.
Timeline of Bypass Implementation
The speed at which these malware developers have adapted is alarming:
- Meduza and WhiteSnake: Implemented bypass mechanisms approximately two weeks after Chrome 127 launched
- Lumma: Added the feature within a week of competitors
- Vidar and StealC: Introduced bypass capabilities shortly after
Lumar’s developers initially created a temporary solution requiring administrator privileges, quickly followed by a full bypass mechanism operating with standard user privileges. The developers of Rhadamanthys malware claimed it took them a mere 10 minutes to overcome the encryption.
Chrome and Browser Password Vault Users Targeted by Infostealer Bypass
Any Windows user running Google Chrome with saved passwords, session cookies, or stored credentials is at risk. The threat is particularly acute for:
- Enterprise employees whose browsers store corporate SSO session tokens
- Users of online banking, cryptocurrency exchanges, or e-commerce platforms
- Anyone who has received a phishing email with a malicious attachment in the past year
Mitigating Infostealer Risk: Chrome Password Manager and Browser Security
- Keep Chrome updated to the latest version — Google has issued patches addressing several bypass vectors since Chrome 129
- Enable multi-factor authentication (MFA) on all accounts to limit the damage from stolen session cookies
- Do not rely solely on browser-saved passwords; use a dedicated password manager with its own encryption layer
- Deploy endpoint detection and response (EDR) capable of flagging suspicious access to Chrome’s Local State and Login Data files
- Review MITRE ATT&CK technique T1539 (Steal Web Session Cookie) to understand how attackers operationalize stolen cookies
