CrashStealer Malware Impersonates Apple Tool to Steal Mac Passwords and Crypto - MacRumors
Skip to Content
CrashStealer Malware Impersonates Apple Tool to Steal Mac Passwords and Crypto
Wednesday July 15, 2026 4:14 pm PDT by Juli Clover<br>Mac users should watch out for macOS malware called CrashStealer, according to Jamf Threat Labs. The malware impersonates Apple's crash reporting framework, and it's meant to steal all kinds of sensitive information.
CrashStealer collects browser data, password manager data, cryptocurrency wallet extensions, and keychain data, and Jamf first noticed it circulating in a fake Apple-notarized app called Werkbit. With notarization, the malware is not stopped by Gatekeeper, which is part of the macOS security system.
It targets more than 80 cryptocurrency wallet extensions, and 14 password managers like 1Password, LastPass, and Dashlane. It searches through the Document and Downloads folders to look for information worth collecting.
The app looks legitimate and uses a typical macOS install procedure for software downloaded through the web, with the process detailed on Jamf's website. A fake CrashReporter.app is downloaded through Werkbit, and it's meant to impersonate Apple's own crash reporter. A user clicking on the app would likely see it as a legitimate Apple utility.
It requests full disk access "for system administration," and uses a native password prompt that looks like a genuine macOS authorization request. The password entered is used to access the login keychain. Data collected is encrypted with AES–256-GCM through Apple's CommonCrypto and sent to the attacker's IP address.
Jamf says the way CrashStealer was implemented "shows real care," with the concealment steps setting it apart from standard infostealers. The malware was reported to Apple after first being spotted in May and found actively in use in July.
Apple revoked the Werkbit app's signing credentials, so the specific attack vector outlined by Jamf has been disabled, but the malware could surface again. The original version was gated behind a PIN required for installation, suggesting it was aimed at specific people.
Apple's notarization system is meant to protect Mac users from malware, and Apple says that notarized apps are checked for malicious components. CrashStealer makes it clear there are methods for hiding malware from Apple's security process.
When downloading software, users can protect themselves from CrashStealer by being aware that Apple's crash reporter is built-in. Any download that uses CrashReporter is a red flag, as is an app that asks for a system password right when it's launched.
Tag: Malware
[ 27 comments ]
Get weekly top MacRumors stories in your inbox.<br>Leave this field empty<br>Popular Stories
5 New Waze Features Rolling Out Now: Here Are All the Details<br>Monday July 13, 2026 3:42 am PDT by Tim Hardwick<br>Google today announced that Waze is getting a handful of new features, including some Gemini-powered personalization enhancements for Conversational Reporting. Conversational Reporting already uses Gemini when users report traffic incidents like slowdowns, but now you can use it to suggest map updates like road closures or outdated addresses. Saying something like "The road is closed here"...<br>Read Full Article • 51 comments
Apple's 2026 Back to School Offer Just Went Live in Select Countries<br>Wednesday July 15, 2026 11:48 am PDT by Joe Rossignol<br>Apple's annual Back to School promotion is now live in select countries in Asia, including China, India, Malaysia, the Philippines, Singapore, Taiwan, Thailand, and Vietnam. The offer provides college students and educational staff with a free item with the purchase of an eligible Mac or iPad model. The exact offer varies by country, with options including a pack of four AirTags, AirPods 4,...<br>Read Full Article • 19 comments
Apple's 2026 Back to School Offer is Coming Soon<br>Sunday July 12, 2026 7:29 am PDT by Joe Rossignol<br>Apple's stores will be rolling out Back to School marketing materials this week, according to Bloomberg's Mark Gurman. This suggests that the offer will begin in the U.S. in the next few days. Last year, college students and educational staff could receive a free accessory like AirPods 4 or an Apple Pencil Pro with the purchase of a qualifying Mac or iPad model. The Back to School offer is in...<br>Read Full Article • 16 comments
Top Rated Comments
Skwoodge<br>16 hours ago at 05:02 pm
People would say for years that Macs can’t get malware, but that was mainly a result of Macs having such a low market share compared to the PC market
That has changed and now Macs are much more susceptible to getting these kinds of malware attacks than they used to be in the past
It was never true that Macs can't get malware, but macOS is definitely a more popular target now. However, most malware still requires inputting your password because of Apple's multi-layered security, so you need to be careful what things you...