This dangerous malware is able to hijack your Google Account by reviving cookies

At least six groups have been found using the exploit

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A serious exploit affectingGoogleservices that is being used to grant threat actors access to Google Accounts has been uncovered by cybersecurity companyCloudSEK.

The exploit, which was identified in October 2023, enables continuous access to Google services even after a victim resets their password.

The malware has “rapidly spread” to a variousmalwaregroups, including Lumma, Rhadamanthys, Risepro, Meduza, Stealc, and White Snake.

Reader Offer: Save up to 68% on Aura identity theft protectionTechRadar editors praise Aura’s upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal. Save up to 50% today.

Preferred partner (What does this mean?)

Google account hijacking malware spreads rapidly

CloudSEK says the exploit allows the generation of persistent Google cookies through token manipulation, giving a threat actor continuous access to a victim’s account.

Since information about the vulnerability was exposed in October, a growing list of threat actors have been incorporating the exploit into their infostealers and malware to get access to Google accounts. At least six groups are now actively exploiting the vulnerability with their own malware.

CloudSEK’s analysis confirms that the Google OAuth endpoint, MultiLogin, which is designed to synchronize Google Accounts across services and give users a consistent user experience, is part of the key used by threat actors to break into Google Accounts.

Reverse engineering has revealed that the malware targets the token_service table of Chrome’s WebData to extract tokens and account IDs from Chrome profiles.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Threat actors can use the stolen information to regenerate session cookies, which are designed to have a limited lifespan, to unlock access to a victim’s account.

Reporting byBleeping Computerreveals that one group, Lumma, has already updated the exploit to counteract Google’s mitigations, indicating that Google is already aware of the exploit. By the looks of it, though, Lumma has outsmarted the company – for now.

A Google spokesperson toldTechRadar Proin an email:

“Google is aware of recent reports of a malware family stealing session tokens. Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.

“However, it’s important to note a misconception in reports that suggests stolen tokens and cookies cannot be revoked by the user. This is incorrect, as stolen sessions can be invalidated by simply signing out of the affected browser, or remotely revoked via the user’s devices page. We will continue to monitor the situation and provide updates as needed.”

In the meantime, users can avoid a lot of cybersecurity problems just by being careful about what they download – a lot of malware is actually ‘voluntarily’ downloaded (intentionally or unintentionally) by the victim. Chrome users can also enable Enhanced Safe Browsing to protect against phishing and malware downloads.

More from TechRadar Pro

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

I’ve been a Firefox power user since it launched 20 years ago – here’s why it still beats Chrome and Safari