VoidStealer Malware Bypasses Chrome's App-Bound Encryption by Hooking Decryption as a Debugger
Kaspersky researchers have uncovered a new bypass of Google Chrome's App-Bound Encryption (ABE) by the VoidStealer Trojan, which attaches to the browser as a debugger to capture the decryption key from memory.
Kaspersky researchers have identified a novel technique used by the VoidStealer Trojan to bypass Google Chrome's App-Bound Encryption (ABE), a security feature introduced in July 2024 to protect session cookies and other sensitive data from infostealers. Unlike previous bypasses that relied on privilege escalation or code injection, VoidStealer takes a different approach: it attaches to Chrome as a debugger, a legitimate troubleshooting mechanism, and pauses the browser at the exact moment it decrypts data. This allows the malware to extract the master encryption key directly from memory, effectively neutralizing ABE's protections.
Google introduced ABE specifically to address the limitations of Windows' Data Protection API (DPAPI), which does not prevent malicious applications running as the logged-in user from accessing encrypted data. ABE ensures that only the Chrome application itself can decrypt stored data, not any process masquerading as the legitimate user. However, as Kaspersky researcher Alanna Titterington explained, the architects assumed attackers would need to escalate privileges to system-level or inject malicious code into Chrome to bypass it. VoidStealer's debugger-based approach sidesteps those assumptions entirely.
The technique targets the brief window when Chrome decrypts data for legitimate purposes, such as signing into a website or accessing saved credentials. During this process, the master key is exposed in plaintext in browser memory. By attaching as a debugger, VoidStealer identifies the exact point in the browser's execution where decryption occurs and pauses the process, allowing it to extract the key. This method is distinct from previous ABE bypasses by malware like Meduza Stealer, Whitesnake, Lumma Stealer, and Lumar, which used fileless execution, process hollowing, or direct system calls.
The discovery highlights the ongoing cat-and-mouse game between browser vendors and malware authors. Since ABE's introduction, multiple infostealers have found ways to continue harvesting cookie data and credentials from Chrome and other Chromium-based browsers like Microsoft Edge, Opera, Vivaldi, and Brave. Last year, CyberArk demonstrated a technique called C4 that allowed low-privilege users to decrypt Chrome cookies. Researcher Alex Hagenah also showed a method combining in-memory execution and process hollowing to access encrypted data as legitimate Chrome activity.
VoidStealer's bypass is particularly concerning because it exploits a fundamental design aspect of debugging, which is difficult to block without breaking legitimate developer tools. As enterprises increasingly move workflows to web applications, browsers have become repositories for authentication tokens, credentials, and financial information, making them prime targets. Kaspersky's findings underscore the need for additional layers of protection, such as hardware-backed key storage or behavioral detection of debugger attachment, to defend against this class of attacks.
Google has not yet commented on the VoidStealer bypass, but the company has a history of patching ABE improvements in response to prior bypasses. The ongoing arms race suggests that browser-based secrets will remain a high-value target for infostealers, and users should consider additional safeguards like credential managers with hardware-bound encryption and regular session invalidation.