Saturday, November 23, 2024

This New Malware Uses a Unique Trick to Steal Your Google Account

Must read

If your Chrome browser went full-screen and showed you a Google login page, what would you do? If you said you’d try logging in, you would have lost your account to a malicious agent using your browser’s kiosk mode against you.




But what does that mean, and how can you dodge it?


What Is “Kiosk Mode” on a Web Browser?

Kiosk mode isn’t a bad thing by itself. Companies use a browser’s kiosk mode to prevent users from interacting with things they shouldn’t be messing with. If you’ve ever used a public kiosk or web terminal’s browser and noticed you couldn’t minimize it or navigate to a different website, it was likely in kiosk mode.

Operating systems can have kiosk modes, as covered in our guides on enabling kiosk mode in Windows 10 and Windows 11.

How Malicious Agents Use Kiosk Mode to Steal Your Credentials

Image Credit: OALABS Research

Kiosk mode sounds innocent enough, but some malware developers have found a way to use it to steal your Google login credentials. It’s a pretty sneaky attack and tricky to get out of if you’re stuck in it—but not impossible.


As reported by OALABS research, the attack begins with an Amadey infection. Amadey has been around since 2018 and uses every trick in the book to spread onto PCs. Because it’s a general piece of malware, you can follow the easy ways to never get a virus, and you should be safe.

Once Amadey gets onto a system, it deploys both credential flusher and stealer malware. The credentials flusher tricks the user into typing their password while the stealer waits to record the user’s input.

The credential stuffer scans the victim’s PC for a browser. Once it finds one, it forces the browser to launch in kiosk mode. This causes the browser to take up the entire screen without any means of closing the window or navigating away. It then disables the Escape and F11 keys so the victim can’t escape the browser’s fullscreen mode.


Once the user is locked into kiosk mode, the credentials flusher directs the browser to a Google login page. The login page is legitimate, so it doesn’t sound any alarm bells over a fake website. Annoyed at their current predicament, the victim believes that if they log into their Google account, they’ll regain access to their computer. As they enter their username and password, the stealer registers what was entered and returns it to the malicious agent.

How to Escape the Kiosk Mode Attack

A man pressing the Alt and F4 keys on a Windows keyboard
Jasni/Shutterstock

Fortunately, the malware doesn’t prevent all forms of escape. If you’re hit by this malware, you can get out of it by using Alt + F4 to close the window. You can also use Ctrl + Alt + Del or Ctrl + Shift + Esc to bring up the Task Manager and close your browser from there. Alt + Tab will also let you swap windows and escape the trap. And if push comes to shove, if you press (not hold) your computer’s power button, it should instigate a controlled shutdown and close your browser with it.


It’s also a great idea to secure your Google account with two-factor authentication (2FA). Any 2FA method should work fine, but if you really want to ruin a hacker’s day, opt for the version where Google sends a login request to one of your other devices. This sends a request that you tap “accept” on and doesn’t involve typing anything in. As such, not only will the hacker need your device to gain access to your account, but they can’t even use their malware to watch you enter a 2FA code so they can use it for themselves.

This kiosk mode attack is especially devious and tries its best to annoy the user enough to enter their credentials. Fortunately, simply knowing of the attack’s existence is 90% of the way toward keeping you safe, with the other 10% being the knowledge of how to escape it. Now that you’re armed with both, this attack shouldn’t catch you off-guard.

Latest article