Hackers Exploit Chrome Kiosk Mode to Steal Google Account Passwords

New research has uncovered a novel method threat actors are using to steal Google account credentials by leveraging a frustrating tactic that traps Chrome users in kiosk mode.

According to researchers at Open Analysis Lab (OALabs), the malware, dubbed StealC, prevents victims from exiting full-screen mode by disabling both the F11 and ESC keys, leaving them with no option but to input their Google account credentials.

The screen displays nothing but a Google login window, increasing the pressure on victims to comply, as they cannot escape the browser environment.

This new technique, which has been active since at least August 22, aims to frustrate users into giving away their credentials. Once the victim enters their Google account details, the StealC malware captures the information and sends it to the attackers.

“The technique involves launching the victim's browser in kiosk mode and navigating to the login page of the targeted service, usually Google,” OALabs researchers explained.

While the initial malware does not directly steal credentials, it serves as a "credential flusher," forcing users to enter their details. The actual credential theft occurs through StealC, which extracts the passwords from the Chrome browser’s credential store.

The campaign relies on a combination of known tools, primarily the Amadey hacking tool, which loads the StealC malware. OALabs researchers, with help from their threat intelligence partners at the Loader Insight Agency, have mapped out a typical attack roadmap, highlighting how these various components work together to compromise user accounts.