CrashStealer Malware Impersonates Apple Tool to Steal Mac Passwords and Crypto - MacRumorsOpen MenuShow RoundupsShow Forums menuVisit ForumsOpen Sidebar
Skip to Content

CrashStealer Malware Impersonates Apple Tool to Steal Mac Passwords and Crypto

Mac users should watch out for macOS malware called CrashStealer, according to Jamf Threat Labs. The malware impersonates Apple's crash reporting framework, and it's meant to steal all kinds of sensitive information.

bug security vulnerability issue fix larry
CrashStealer collects browser data, password manager data, cryptocurrency wallet extensions, and keychain data, and Jamf first noticed it circulating in a fake Apple-notarized app called Werkbit. With notarization, the malware is not stopped by Gatekeeper, which is part of the macOS security system.

It targets more than 80 cryptocurrency wallet extensions, and 14 password managers like 1Password, LastPass, and Dashlane. It searches through the Document and Downloads folders to look for information worth collecting.

The app looks legitimate and uses a typical macOS install procedure for software downloaded through the web, with the process detailed on Jamf's website. A fake CrashReporter.app is downloaded through Werkbit, and it's meant to impersonate Apple's own crash reporter. A user clicking on the app would likely see it as a legitimate Apple utility.

It requests full disk access "for system administration," and uses a native password prompt that looks like a genuine macOS authorization request. The password entered is used to access the login keychain. Data collected is encrypted with AES–256-GCM through Apple's CommonCrypto and sent to the attacker's IP address.

Jamf says the way CrashStealer was implemented "shows real care," with the concealment steps setting it apart from standard infostealers. The malware was reported to Apple after first being spotted in May and found actively in use in July.

Apple revoked the Werkbit app's signing credentials, so the specific attack vector outlined by Jamf has been disabled, but the malware could surface again. The original version was gated behind a PIN required for installation, suggesting it was aimed at specific people.

Apple's notarization system is meant to protect Mac users from malware, and Apple says that notarized apps are checked for malicious components. CrashStealer makes it clear there are methods for hiding malware from Apple's security process.

When downloading software, users can protect themselves from CrashStealer by being aware that Apple's crash reporter is built-in. Any download that uses CrashReporter is a red flag, as is an app that asks for a system password right when it's launched.

Tag: Malware

Popular Stories

Waze logo

5 New Waze Features Rolling Out Now: Here Are All the Details

Monday July 13, 2026 3:42 am PDT by
Google today announced that Waze is getting a handful of new features, including some Gemini-powered personalization enhancements for Conversational Reporting. Conversational Reporting already uses Gemini when users report traffic incidents like slowdowns, but now you can use it to suggest map updates like road closures or outdated addresses. Saying something like "The road is closed here"...
apple back to school sans airpods 2

Apple's 2026 Back to School Offer is Coming Soon

Sunday July 12, 2026 7:29 am PDT by
Apple's stores will be rolling out Back to School marketing materials this week, according to Bloomberg's Mark Gurman. This suggests that the offer will begin in the U.S. in the next few days. Last year, college students and educational staff could receive a free accessory like AirPods 4 or an Apple Pencil Pro with the purchase of a qualifying Mac or iPad model. The Back to School offer is in...
Apple 2026 Back to School Graphic

Apple's 2026 Back to School Offer Just Went Live in Select Countries

Wednesday July 15, 2026 11:48 am PDT by
Apple's annual Back to School promotion is now live in select countries in Asia, including China, India, Malaysia, the Philippines, Singapore, Taiwan, Thailand, and Vietnam. The offer provides college students and educational staff with a free item with the purchase of an eligible Mac or iPad model. The exact offer varies by country, with options including a pack of four AirTags, AirPods 4,...

Top Rated Comments

Skwoodge Avatar
9 hours ago at 05:02 pm

People would say for years that Macs can’t get malware, but that was mainly a result of Macs having such a low market share compared to the PC market

That has changed and now Macs are much more susceptible to getting these kinds of malware attacks than they used to be in the past
It was never true that Macs can't get malware, but macOS is definitely a more popular target now. However, most malware still requires inputting your password because of Apple's multi-layered security, so you need to be careful what things you give access to your password.
Score: 10 Votes (Like | Disagree)
TheDailyApple Avatar
9 hours ago at 05:35 pm

It was never true that Macs can't get malware, but macOS is definitely a more popular target now. However, most malware still requires inputting your password because of Apple's multi-layered security, so you need to be careful what things you give access to your password.
Unfortunately social engineering makes users the weak link security-wise.
Score: 8 Votes (Like | Disagree)
IJ Reilly Avatar
4 hours ago at 10:52 pm
Reports of this kind are decidedly unhelpful for nontechnical readers, and probably little use to the technical, either. This payload was apparently attached to an app called "Werkbit," but the story provides no information on this app, how it came to include this code, or why anyone would have downloaded it. Is this merely a proof of concept for a much wider deployment? Could it be attached to other apps, and we simply don't know about it yet? Gosh, wouldn't that be something to know?
Score: 6 Votes (Like | Disagree)
Justin Cymbal Avatar
10 hours ago at 04:17 pm
People would say for years that Macs can’t get malware, but that was mainly a result of Macs having such a low market share compared to the PC market

That has changed and now Macs are much more susceptible to getting these kinds of malware attacks than they used to be in the past
Score: 5 Votes (Like | Disagree)
4 hours ago at 10:44 pm

Notarization from Apple is a joke. It in fact gives the user a false sense of security while it is just a registration process based on good will.
What a strange take. Apple has already used their notarization system to disable this installer. I’m not sure how the social engineering of this malware worked but if you install things from the web, it is incumbent on the user to make sure the source is reliable.

No OS vendor can prevent something like this. All they can do is take action once it is reported. Which is exactly what Apple did.
Score: 2 Votes (Like | Disagree)
4 hours ago at 10:28 pm
Always good to be careful. Malware targeting Macs are increasing.
Score: 2 Votes (Like | Disagree)