Hmm, First of all, it is not possible for any alien process to access a browser's saved password. Not at least if you do not use any homebrew browser. Then , I think the malware phishes a user to login to an identical website or get read & write permission.
After all, we don't always read all those jargon about permission and try to skip. It can happen mostly from porn site (Speaking from experience :P). Lastly, we'll never fully realize a virus mechanics. The moment we do, the author will change the algorithm to keep it up to date with latest loopholes. Hope I am correct. Peace be upon you - Junayeed Ahnaf Nirjhor Twitter - @Nirjhor -- Ubuntu Bangladesh https://lists.ubuntu.com/mailman/listinfo/ubuntu-bd
