A newly discovered infostealer called VoidStealer is raising concerns after researchers revealed it can bypass Google Chrome’s App-Bound Encryption (ABE), a security feature designed to protect sensitive browser data.
The malware introduces a novel technique that allows attackers to extract encryption keys directly from memory, enabling session hijacking and credential theft even on updated systems.
VoidStealer Malware Targets Chrome Data
Google introduced App-Bound Encryption in Chrome version 127 (July 2024) to address widespread abuse of stolen session cookies.
These cookies allow users to stay logged in to websites without re-entering their credentials. However, if stolen, attackers can impersonate users and access accounts.
ABE improved upon the older Data Protection API (DPAPI) by binding encryption keys to the Chrome application itself. A privileged system service verifies that only Chrome can request access to the master key used to decrypt stored data. This design aimed to prevent malware running under user privileges from extracting sensitive information.
However, ABE assumes attackers would need either system-level privileges or code injection into Chrome, assumptions that modern malware continues to challenge.
Kaspersky said in a report shared with GBHackers, VoidStealer uses a sophisticated method that targets a critical weakness: the moment when Chrome decrypts its data in memory.
- The malware attaches to the Chrome process as a debugger.
- It identifies where decryption occurs in the browser’s execution flow.
- A breakpoint is set to pause execution at the exact moment the master key is loaded into memory in plaintext.
- The malware then extracts the key directly from RAM.
This technique avoids triggering ABE’s protections because it does not request the key through official APIs. Instead, it passively observes Chrome’s internal operations.
Example: Imagine a user logging into a banking website. Chrome decrypts the session cookie to authenticate the session. At that exact moment, VoidStealer freezes the process and copies the decrypted key, allowing attackers to reuse the session without credentials.
VoidStealer follows a pattern of rapid ABE bypass development. Shortly after ABE’s release, several infostealers, including Lumma, Meduza, and Whitesnake, claimed similar capabilities. Security researchers later confirmed multiple working bypass techniques, including open-source tools published on GitHub.
This ongoing “cat-and-mouse” dynamic shows that browser-level protections alone are insufficient to counter evolving infostealer tactics.
VoidStealer affects all Chromium-based browsers that rely on ABE, including:
- Google Chrome
- Microsoft Edge
- Brave
- Opera
- Vivaldi
The threat is amplified by its malware-as-a-service (MaaS) model, allowing cybercriminals to rent the tool and scale attacks without developing their own malware.
Mitigation and Security Recommendations
To reduce exposure to infostealer threats:
- Avoid downloading software from untrusted or pirated sources.
- Stay updated on emerging attack methods, including ClickFix delivery techniques.
- Regularly update operating systems and browsers.
- Use reputable endpoint security solutions with behavioral detection.
- Avoid storing sensitive credentials in browsers; instead, use dedicated password managers.
VoidStealer highlights a persistent reality in cybersecurity: attackers increasingly exploit runtime behavior rather than static protections. As long as sensitive data must be decrypted for legitimate use, attackers will continue to target those fleeting moments of exposure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
