There’s nothing worse that a new and innovative malware approach, but that’s exactly what Google users have been exposed to.
This latest attack takes advantage of Google’s kiosk mode. For those of you not familiar with kiosk mode, here’s a quick breakdown: it’s a Chrome browser mode which limits devices to use only one specific app or function, perfect for public or business use. It protects devices by locking access to the rest of the device away. Typically, they can be seen in staff sign-in devices or on devices which provide access to in-person catalogues. And hackers are now exploiting kiosk mode to launch data harvesting malware.
Understanding the Google Kiosk Attack
OALABS security researchers have revealed how the attack unfolds, so we’re going to walk you through the nefarious activity and processes. Initially starting with the execution of, in the majority of cases, the Amadey malware, the attack starts with Amadey scanning the device for available browsers. Once it finds, for example, Chrome, Amadey will launch the browser in kiosk mode and direct it to a legitimate, yet compromised URL.
Cleverly, Amadey ensures that both the F11 and Escape keys are disabled, making it difficult for victims to close kiosk mode down in an instant. It’s also particularly tricky, for users, as kiosk mode tends to run in full-screen mode, meaning typical browser features such as navigation buttons and toolbars are absent. Users, therefore, are severely restricted in what actions they can take while locked in kiosk mode.
The URL, which launches in kiosk mode, is a genuine ‘change password’ page for Google credentials. However, in the background, Amadey has launched StealC, an information stealer which will then harvest the inputted credentials and forward them to the hackers. The attack is a frustrating one, and one where the hackers hope this frustration will lead to victims entering their login credentials in sheer desperation.
How Do You Escape Kiosk Mode and Stay Safe?
If you find yourself stuck in kiosk mode, there’s a risk that you could be under attack. Luckily, there are a number of measures you can take to nullify the threat:
- Use Hotkey Combos: while the F11 and Escape keys may be disabled, other hotkey combos can be used to escape kiosk mode. By trying ‘Alt + F4’, ‘Alt + Tab’, and ‘Ctrl + Alt + Delete’, you may be able to break out of kiosk mode and return to your desktop. Additionally, you can hold down ‘Win Key + R’ to open Windows command prompt where you can type ‘cmd’ and then close down Chrome by typing the following command ‘taskkill /IM chrome.exe /F.’
- Perform a Hard Reset: Drastic times often call for drastic measures, so that’s why a hard reset may be your best option here. Simply hold down the power button on your device, usually for five seconds, until it shuts down. You will lose any unsaved work, but it does buy you some breathing time to rescue your device.
- Run an Anti-Virus in Safe Mode: Once you’ve escaped kiosk mode, it’s important to remove the initial threat from your device. You can do this by restarting your PC and entering Safe Mode – usually by pressing F8 during the bootup process – and then running anti-virus software such as AVG or Malwarebytes.
For more ways to secure and optimize your business technology, contact your local IT professionals.
