HeadlinesBriefing favicon HeadlinesBriefing.com

CrashStealer Malware Steals Mac Passwords & Crypto via Fake Tool

MacRumors •
×

Mac users should watch out for CrashStealer malware, according to Jamf Threat Labs. The malware impersonates Apple's crash reporting framework to steal browser data, password manager data, cryptocurrency wallet extensions, and keychain data. It was first noticed circulating in a fake Apple-notarized app called Werkbit, which bypasses Gatekeeper protections.

CrashStealer targets more than 80 cryptocurrency wallet extensions and 14 password managers including 1Password, LastPass, and Dashlane. It searches Documents and Downloads folders for valuable information. The app uses a typical macOS install procedure, downloading a fake CrashReporter.app that impersonates Apple's legitimate utility. It requests full disk access "for system administration" and presents a native password prompt to access the login keychain. Collected data is encrypted with AES–256-GCM via Apple's CommonCrypto and sent to the attacker's IP.

Jamf notes the implementation "shows real care," with concealment steps setting it apart from standard infostealers. Spotted in May and active in July, the malware was reported to Apple, which revoked Werkbit's signing credentials. However, the malware could resurface; the original version required a PIN for installation, suggesting targeted attacks. Users should note that Apple's crash reporter is built-in—any download using CrashReporter or requesting a system password at launch is a red flag.