Beware Pixel users! This malware can grant hackers access to your Google Account, but here's how to combat it

Malware that is capable of accessing your Google account even after you have reset your password was recently discovered. Google has spoken publicly about it and has revealed how to prevent it from being effective.

The malware in question was discovered by CloudSEK and, according to the report, has already spread to other malware groups, including Lumma, Risepro, Stealc, White Snake, Meduza, and Rhadamanthys.

To gain access to your Google account, the malware attempts to restore session cookies, which tricks the browser into thinking there is an active login. This gives the attacker continued access to your Google account, even if you already changed your password.

More specifically, the malware focuses on attacking MultiLogin, the Google OAuth endpoint that aims to synchronize Google accounts between the company’s multiple services to provide easy access once you have logged in for the first time. The report indicates that it resorts to Chrome’s WebData token_service table to try to obtain the logged-in cookies.

Basically, the malware turns session cookies, which have an expiration time, into a ‘permanent’ key that can keep the attacker logged into your Google account perpetually.

It should be noted that Google has already been aware of the existence of malware for weeks and has been doing tricks to combat it. However, the report indicates that Lumma, one of the malware groups that integrated it into their attack methods, updated it to evade Google’s measures.

Yesterday, Google spoke publicly regarding the malware that ‘steals’ Google accounts, stating that they have already acted to keep all potentially affected accounts safe:

Google is aware of recent reports of a malware family stealing session tokens. Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.

They also confirmed that the session cookies stolen by the malware can be easily revoked if you simply log out of your account from the affected browser, or even from the Google devices page:

However, it’s important to note a misconception in reports that suggests stolen tokens and cookies cannot be revoked by the user. This is incorrect, as stolen sessions can be invalidated by simply signing out of the affected browser, or remotely revoked via the user’s devices page. We will continue to monitor the situation and provide updates as needed.

Likewise, Google recommended users follow the steps to remove malware from their devices and enable Enhanced Safe Browsing in Chrome to minimize the risk of being affected.

Source