FHN 
A newly discovered infostealer known as VoidStealer is drawing attention from security researchers after demonstrating the ability to bypass browser protections designed to secure sensitive Chrome data. The malware targets Google Chrome’s App-Bound Encryption (ABE), a security feature introduced to better protect stored credentials and session cookies.
Researchers found that VoidStealer can extract encryption keys directly from browser memory, allowing attackers to steal active sessions and access accounts even on fully updated systems.
How VoidStealer Bypasses Chrome Protections
Google introduced App-Bound Encryption in Chrome 127 to strengthen protection around sensitive browser data such as cookies, passwords, and session tokens. The feature was designed to prevent malware running with normal user privileges from accessing Chrome’s encryption keys.
Unlike older protection methods based on DPAPI, ABE binds encryption keys directly to the Chrome application. A dedicated system process validates that only Chrome can request access to those keys.
However, VoidStealer avoids interacting with Chrome through official APIs. Instead, it targets the moment when Chrome decrypts sensitive data in memory.
Researchers observed that the malware:
- Attaches itself to the Chrome process as a debugger
- Monitors the browser’s decryption workflow
- Pauses execution when encryption keys are loaded into memory
- Extracts the decrypted keys directly from RAM
Because the attack focuses on runtime behavior rather than stored files, it bypasses many of the protections implemented by App-Bound Encryption.
Impact on Chromium Browsers and Security Risks
Once attackers obtain the decrypted session data, they can hijack active sessions without needing usernames or passwords. This allows threat actors to access accounts as if they were the legitimate user.
The malware affects multiple Chromium-based browsers, including:
- Google Chrome
- Microsoft Edge
- Brave
- Opera
- Vivaldi
Researchers also noted that VoidStealer is being distributed through a malware-as-a-service model, allowing cybercriminals to rent the malware and scale attacks more easily.
The discovery highlights an ongoing challenge in browser security. Even with stronger encryption mechanisms, attackers continue to focus on runtime memory access, where sensitive data must temporarily exist in decrypted form during legitimate browser operations.
To reduce exposure, security experts recommend avoiding untrusted software downloads, keeping browsers fully updated, using strong endpoint protection, and storing credentials in dedicated password managers instead of directly in browsers.
About the Author
