Google has introduced several measures to address this threat, including Safe Browsing download protection in Chrome, Device Bound Session Credentials, and account-based threat detection systems that alert users to the misuse of stolen cookies.
Cybercriminals using cookie theft infostealer malware continue to pose a significant risk to user safety and security.
Today, Google is announcing another layer of protection to enhance the safety of Windows users from this type of malware.
Chrome currently secures sensitive data like cookies and passwords using the strongest techniques available on each operating system.
On macOS, Chrome uses Keychain services, while on Linux, it utilizes system-provided wallets such as kwallet or gnome-libsecret. On Windows, Chrome employs the Data Protection API (DPAPI), which protects data at rest from other users on the system or cold boot attacks.
However, the DPAPI does not safeguard against malicious applications that can execute code as the logged-in user, which infostealers exploit.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access
Introducing App-Bound Encryption
In Chrome 127 for Windows, Google introduces App-Bound Encryption to improve data security. This method ensures only Chrome can access encrypted data by embedding the app’s identity within the encryption process.
The App-Bound service, operating with system privileges, prevents unauthorized apps from decrypting data. This update, alongside other measures like cookie decryption event logs, increases the difficulty and detection risk for attackers attempting to steal user data.
This protection is particularly beneficial for enterprise environments that do not grant users the ability to run downloaded files as administrators.
In such settings, malware cannot simply request elevation privileges and must resort to techniques like injection, which endpoint agents can more easily detect.
However, App-Bound Encryption strongly binds the encryption key to the machine, which means it will not function correctly in environments where Chrome profiles roam between multiple machines.
According to a Google report, Enterprises that wish to support roaming profiles should follow current best practices. If necessary, the new ApplicationBoundEncryptionEnabled policy can be used to configure app-bound encryption.
Chrome emits an event when a failed verification occurs to help detect any incompatibilities. The event is ID 257 from the ‘Chrome’ source in the Application log.
App-bound encryption increases the cost of data theft for attackers and makes their actions more conspicuous on the system. It helps defenders clearly define acceptable behavior for other apps on the system.
As the malware landscape evolves, Google remains committed to engaging with the security community to improve detections and strengthen operating system protections, such as stronger app isolation primitives, for any bypasses.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide