A new type of malware is targeting users by locking their browsers in “kiosk mode” to steal Google credentials. This tactic forces browsers into full-screen mode, trapping users on a fake Google login page with no way to exit.
As the user gets more frustrated, they enter their Google credentials to exit kiosk mode. But, the malware steals their data. In this blog, Constructure Technologies dives into how the malware works and how you can protect yourself from this scam.
What is Kiosk Mode?
Kiosk mode is a setting that locks a device, like a tablet or computer, into running a single app or limited set of apps. This mode will not display typically interactive elements like toolbars or navigation.
This means users can’t exit or minimize the app, or navigate to other applications. Stores, museums, or educational spaces typically use kiosk mode to restrict access for specific tasks. Most people would not use this in their day-to-day browsing.
How the Malware Works:
Here is how the malware steals your sensitive data:
- Malware enters the system via malicious downloads, phishing emails, or compromised websites.
- Amadey (a malware loading tool) uses an AutoIt script that scans your device for browsers and launches into full-screen kiosk mode. It blocks normal exit functions like “Esc” or “F11.”
- Kiosk mode opens to the Google URL where users can change their password: https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password.
- The user becomes frustrated that they can not exit kiosk mode. They falsely believe that entering their Google credentials is the only way out.
- Because this is a password changing flow, users must enter their password twice to authenticate. They will have the option to save their new password to their browser.
- At this point, if the user saves their credentials to their browser, StealC will steam them. StealC is a type of credential stealing malware that has been active since 2023.
- Even after entering their credentials, users may still be locked in kiosk mode.
What to do if Malware Locks You in Chrome Browser Kiosk Mode:
If this malware locks you in kiosk mode, do not enter any credentials into the form. Instead, try the following to get out:
- Try other hotkeys: Type in ‘Alt + Tab’, ‘Ctrl + Alt + Delete’, ‘Ctrl + Shift + Esc’, or ‘Alt + F4’.
- Open the Windows command prompt: Press ‘Win Key + R’. Type ‘cmd’, then kill Chrome task with ‘taskkill /IM chrome.exe /F’
- Perform a hard reset: Hold down the power button until your computer shuts off completely. Upon reboot, press ‘F8’ and click ‘Safe Mode’. Remove the malware on your computer by conducting a full antivirus scan.
Google Malware Prevention Tips:
Data solutions provider Constructure Technologies shares some tips to prevent malware infections:
- Use an antivirus tool: Regularly update and run antivirus to detect and block malware.
- Keep your systems updated: Ensure your browser, operating system, and apps are up to date to patch security vulnerabilities.
- Be cautious with downloads: Avoid downloading files or clicking links from unknown sources.
- Enable two-factor authentication: Add an extra layer of protection to your accounts.
- Use strong, unique passwords: Avoid using the same password across multiple sites.
- Stay vigilant: Always verify the legitimacy of login pages and sites. If something looks suspicious, do not enter your personal data. Run an antivirus scan on your computer.
How to Get Rid of Malware on Google Chrome
If you suspect your chrome browser is infected with malware, follow these steps:
- Open Chrome settings: Click the vertical dots (menu) in the top-right corner and select Settings.
- Reset Chrome settings: Scroll down to the bottom and click Advanced. Under the “Reset and clean up” section, choose Restore settings to their original defaults. This will reset your homepage, new tab page, and search engine, and disable extensions without removing your bookmarks or passwords.
- Remove suspicious extensions: Go back to the Chrome menu and click Extensions. Review extensions and click Remove on any unfamiliar or suspicious ones. Pay attention to anything you didn’t add yourself.
- Run Chrome’s built-in cleanup tool: In the Chrome Settings search bar, type “Clean up” and select Clean up computer. Click Find to allow Chrome to scan for malware.
- Clear web browser data: Go to Settings, click Privacy and security, and choose Clear browsing data. Select All time, and check the boxes for Cookies, Cache, and Site data, then click Clear data.
- Run an antivirus scan: After cleaning Chrome, run a full scan with your antivirus tool.
- Re-enable trusted extensions: After you remove the malware, return to Extensions. Re-enable any trusted extensions disabled during the reset.