Update – Google has since issued a statement which reads:
Google is aware of recent reports of a malware family stealing session tokens. Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.
However, it’s important to note a misconception in reports that suggests stolen tokens and cookies cannot be revoked by the user. This is incorrect, as stolen sessions can be invalidated by simply signing out of the affected browser, or remotely revoked via the user’s devices page. We will continue to monitor the situation and provide updates as needed.
In the meantime, users should continually take steps to remove any malware from their computer, and we recommend turning on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.
Have you noticed that there are some websites that log you in automatically when you visit it? These sites rely on what are known as session cookies. These cookies contain authentication information to save you time from having to log in everytime you visit the website.
These cookies have a limited lifespan so they cannot be used indefinitely or abused, but now it seems that there are a couple of malware out there that can abuse these cookies and used to hijack your Google account. This can even happen when you log out of your account, or if your session has expired, or if you have reset your passwords.
According to a detailed report from CloudSEK and Hudson Rock, this malware needs to be installed on your desktop which will then extract and decrypt your login tokens that are stored within Chrome’s local database. The malware will then send a request to a Google API which will then be able to regenerate expired Google Service cookies to maintain “persistent access” on your account.
At this point it is unclear if using 2FA will help mitigate this attack since 2FA relies on OTPs sent to another device like your phone. In the meantime, until this exploit has been patched, it’s probably a good idea to avoid downloading files from unknown sources or attachments from emails from unknown and unverified senders just to be safe.
Source: Bleeping Computer