A Stealthy New Player in macOS Threats
Cybersecurity researchers have uncovered a fresh macOS information stealer dubbed CrashStealer. Unlike many of its peers that lean on AppleScript droppers or Objective-C wrappers, this one is built in native C++. That alone makes it stand out — and more dangerous.
According to Jamf Threat Labs, CrashStealer doesn’t just skim data passively. It validates the victim’s login password locally before proceeding. If the password doesn’t match, the malware simply stops. That’s a level of caution rarely seen in commodity stealers.
The big headline? CrashStealer passed Apple’s notarization checks, meaning it briefly wore a badge of trust before being flagged. That’s a sobering reminder that notarization is not a guarantee of safety.
How CrashStealer Bypasses Gatekeeper
Apple’s Gatekeeper is designed to block unsigned or untrusted code from running on macOS. But CrashStealer’s developers got their payload notarized by Apple — a process meant to verify that software is free of known malicious components.
How? The dropper itself appeared clean. It was only the second-stage payload that carried the malicious logic. Once the notarized installer ran, it fetched the real stealer from a remote server, entirely bypassing the initial Gatekeeper scan.
This technique, sometimes called a “notarized dropper,” exploits a gap: Apple checks the outer package but doesn’t re-verify dynamically downloaded code. For attackers, it’s a clean way to get a foothold on a locked-down Mac.
The C++ Advantage
Most macOS malware relies on scripting languages like AppleScript or higher-level wrappers in Objective-C. CrashStealer’s use of native C++ gives it several advantages:
- Smaller binary size, making it harder to spot via heuristics
- Lower-level system access, useful for keylogging and credential theft
- Better evasion of signature-based detection tools
Jamf researchers noted that the malware’s code is lean and avoids common macOS API calls that antivirus engines monitor. That’s a deliberate design choice — and it works.
What Data Does CrashStealer Harvest?
Once active, CrashStealer goes after a broad set of sensitive information. Its targets include:
- Login passwords and keychain data
- Browser cookies and saved credentials
- Cryptocurrency wallet files
- System information and installed application lists
- iCloud tokens, if accessible
The stolen data is exfiltrated to a command-and-control server. Researchers haven’t yet confirmed the full scope of victims, but the malware’s design suggests a broad, indiscriminate targeting strategy — not a narrow espionage campaign.
What This Means for Mac Users
For years, Mac users enjoyed a reputation for relative safety compared to Windows. That’s changing. macOS-specific malware like CrashStealer, Mac ransomware, and info-stealers targeting Apple systems are on the rise.
The fact that CrashStealer passed notarization is particularly troubling. It means users who trust Apple’s stamp of approval can still be compromised. The lesson: don’t rely solely on Apple’s security checks. Practice the same caution you would on any other platform.
If you’re a Mac user, consider these steps:
- Only download software from official developer websites, not third-party mirrors
- Keep macOS and all apps updated
- Use a reputable endpoint security tool that monitors for unusual behavior
- Enable FileVault encryption to protect data at rest
- Be skeptical of unexpected password prompts — CrashStealer asks for your login password
Detection and Mitigation
Jamf Threat Labs has published indicators of compromise (IoCs) for CrashStealer, including known C2 domains and file hashes. Security teams can use these to scan for infections.
Apple has since revoked the notarization ticket for the malicious dropper, so new installations should now trigger Gatekeeper warnings. But existing infections remain active until cleaned.
For individuals, a full system scan with an updated antivirus tool is the first step. If you suspect compromise, change all passwords from a clean device and enable two-factor authentication wherever possible.
CrashStealer is a wake-up call. macOS notarization is a useful security layer — but it’s not bulletproof. Treat every download with a healthy dose of skepticism, even if Apple gave it a thumbs-up.