Mac users are facing a sophisticated new threat called CrashStealer malware that actively bypasses Apple's built-in security defenses to drain cryptocurrency wallets and password managers. Discovered by Jamf Threat Labs, this malicious software impersonates a native system utility to trick victims into handing over their most sensitive data.
The malware initially circulated hidden inside a fake app called Werkbit. Alarmingly, Werkbit managed to slip through Apple's notarization system, which is designed to scan software for malicious components before distribution. Because the app was notarized, macOS Gatekeeper allowed it to run without triggering standard security blocks. Once installed, it drops a fake CrashReporter.app that mimics Apple's legitimate crash reporting framework.
The scope of the data theft is extensive. CrashStealer actively targets more than 80 cryptocurrency wallet extensions and 14 popular password managers, including 1Password, LastPass, and Dashlane. It scours the Documents and Downloads folders for valuable files and requests full disk access under the guise of system administration.
By generating a native-looking macOS authorization prompt, it tricks users into entering their system password, granting the malware direct access to the login keychain. The stolen data is then encrypted using AES-256-GCM through Apple's CommonCrypto and exfiltrated to the attacker's server.
How to Spot and Block CrashStealer
Since Apple has revoked Werkbit's signing credentials, this specific attack vector is disabled, but the malware's underlying code will likely resurface. Protect your system by watching for these red flags:
- Verify CrashReporter: Apple's official crash reporting tool is deeply integrated into macOS. Any third-party download that attempts to install or run a standalone CrashReporter is inherently malicious.
- Scrutinize Password Prompts: Be highly suspicious of any newly installed application that immediately demands your system password upon launch, especially if it claims to need system administration privileges.
- Check App Origins: Even if an app bypasses Gatekeeper, stick to verified developers and the Mac App Store for sensitive software installations.
The Illusion of Notarization
The fact that CrashStealer successfully navigated Apple's notarization process exposes a critical blind spot in macOS security. Notarization relies heavily on automated scanning, which sophisticated threat actors are increasingly learning to evade using encrypted payloads or delayed execution tactics. The initial version of Werkbit was even gated behind a PIN, suggesting a highly targeted spear-phishing campaign rather than a broad, noisy attack.
This incident proves that the Apple seal of approval is no longer an absolute guarantee of safety. Mac users must shift from relying solely on Gatekeeper to adopting a zero-trust mindset. Treating every password prompt with extreme skepticism, regardless of the app's notarized status, is now a mandatory survival skill for macOS users.