CrashStealer Malware Impersonates Apple Tool to Steal Mac Passwords and Crypto - MacRumors
Skip to Content

CrashStealer Malware Impersonates Apple Tool to Steal Mac Passwords and Crypto

Mac users should watch out for macOS malware called CrashStealer, according to Jamf Threat Labs. The malware impersonates Apple's crash reporting framework, and it's meant to steal all kinds of sensitive information.

bug security vulnerability issue fix larry
CrashStealer collects browser data, password manager data, cryptocurrency wallet extensions, and keychain data, and Jamf first noticed it circulating in a fake Apple-notarized app called Werkbit. With notarization, the malware is not stopped by Gatekeeper, which is part of the macOS security system.

It targets more than 80 cryptocurrency wallet extensions, and 14 password managers like 1Password, LastPass, and Dashlane. It searches through the Document and Downloads folders to look for information worth collecting.

The app looks legitimate and uses a typical macOS install procedure for software downloaded through the web, with the process detailed on Jamf's website. A fake CrashReporter.app is downloaded through Werkbit, and it's meant to impersonate Apple's own crash reporter. A user clicking on the app would likely see it as a legitimate Apple utility.

It requests full disk access "for system administration," and uses a native password prompt that looks like a genuine macOS authorization request. The password entered is used to access the login keychain. Data collected is encrypted with AES–256-GCM through Apple's CommonCrypto and sent to the attacker's IP address.

Jamf says the way CrashStealer was implemented "shows real care," with the concealment steps setting it apart from standard infostealers. The malware was reported to Apple after first being spotted in May and found actively in use in July.

Apple revoked the Werkbit app's signing credentials, so the specific attack vector outlined by Jamf has been disabled, but the malware could surface again. The original version was gated behind a PIN required for installation, suggesting it was aimed at specific people.

Apple's notarization system is meant to protect Mac users from malware, and Apple says that notarized apps are checked for malicious components. CrashStealer makes it clear there are methods for hiding malware from Apple's security process.

When downloading software, users can protect themselves from CrashStealer by being aware that Apple's crash reporter is built-in. Any download that uses CrashReporter is a red flag, as is an app that asks for a system password right when it's launched.

Tag: Malware

Popular Stories

Waze logo

5 New Waze Features Rolling Out Now: Here Are All the Details

Monday July 13, 2026 3:42 am PDT by
Google today announced that Waze is getting a handful of new features, including some Gemini-powered personalization enhancements for Conversational Reporting. Conversational Reporting already uses Gemini when users report traffic incidents like slowdowns, but now you can use it to suggest map updates like road closures or outdated addresses. Saying something like "The road is closed here"...
apple back to school sans airpods 2

Apple's 2026 Back to School Offer is Coming Soon

Sunday July 12, 2026 7:29 am PDT by
Apple's stores will be rolling out Back to School marketing materials this week, according to Bloomberg's Mark Gurman. This suggests that the offer will begin in the U.S. in the next few days. Last year, college students and educational staff could receive a free accessory like AirPods 4 or an Apple Pencil Pro with the purchase of a qualifying Mac or iPad model. The Back to School offer is in...
Apple Event Logo

Apple Acquiring SigScalr

Monday July 13, 2026 7:01 am PDT by
In March, Apple informed the EU that it had agreed to acquire certain assets and hire employees from SigScalr, according to a notice published today on the European Commission's website. SigScalr created the open-source observability platform SigLens, which companies can use to aggregate and analyze logs, metrics, and traces at massive scales for monitoring and debugging purposes. SigLens was...

Top Rated Comments

Justin Cymbal Avatar
43 minutes ago at 04:17 pm
People would say for years that Macs can’t get malware, but that was mainly a result of Macs having such a low market share compared to the PC market

That has changed and now Macs are much more susceptible to getting these kinds of malware attacks than they used to be in the past
Score: 1 Votes (Like | Disagree)