A Fresh macOS Stealer Exploits Apple’s Own Security Guardrails
Mac users have long been told that their machines are safer than Windows PCs. But a newly discovered piece of malware, dubbed CrashStealer, is putting that assumption to the test. It sneaks past Apple’s Gatekeeper by borrowing a legitimate developer ID and a valid notarization ticket — the same credentials that are supposed to keep malware out.
First spotted in early July by researchers at Jamf Threat Labs, CrashStealer is a C++ infostealer that goes after login credentials, cryptocurrency wallets, browser data, and anything else it can grab from a compromised system. Its trick? It impersonates Apple’s built-in crash-reporting component, a system process that most users would never think to question.
“The delivery chain shows real care,” said Thijs Xhaflaire, senior threat researcher at Jamf, in a July 13 blog post. Instead of a bare, unsigned lure, the attackers lead with a signed and notarized dropper that clears Gatekeeper before quietly fetching and launching the real payload.
How CrashStealer Slips Past Gatekeeper
The attack chain begins with a disk image that looks like a legitimate software installer. The image is named “Werkbit Setup” and — crucially — it carries a valid Apple Developer ID and a notarization ticket. That means Apple’s Gatekeeper, the security feature that blocks unsigned apps on first launch, gives it a free pass.
Once the user runs the installer, the application reaches out to a GitHub API, which returns an obfuscated script. The script decodes into a downloader-installer that fetches the CrashStealer payload. The whole process is designed to look like a normal software update or crash report — the kind of thing a busy user would click through without a second thought.
Jamf researchers note that the disk image exploits an application bundle specifically built to impersonate Apple’s crash-reporting tool. This helps the malware evade detection by both users and security software.
Data Theft and Cryptocurrency Wallet Targeting
After CrashStealer gains a foothold, it displays a native-looking password prompt. It’s styled to resemble a genuine macOS authorization request. The goal: trick the victim into typing their system login credentials, confirming that the attacker has the right password for the machine.
From there, the malware pivots to its real objective: stealing browser usernames and passwords, cryptocurrency wallet logins, password manager credentials, and any other data stored in the system keychain. It targets popular wallets and browser-stored credentials, giving attackers access to email, social media, and financial accounts.
What Makes CrashStealer Different from Other Mac Malware
There’s no shortage of macOS infostealers out there — Atomic (AMOS) and MacSync are two recent examples. But CrashStealer stands apart in a few key ways.
- Client-side AES-GCM encryption: The malware encrypts stolen files before exfiltration, making it harder for researchers to analyze the data in transit.
- Control-flow flattening: This obfuscation technique scrambles the code’s logical structure, making reverse engineering a nightmare.
- Encrypted strings and layered anti-debugging: The malware actively resists analysis by security tools, using multiple techniques to detect and evade sandboxes.
“What sets it apart from the commodity stealer crowd is less what it collects than how it is built,” Xhaflaire said. The emphasis on analysis resistance suggests a more sophisticated operator behind the wheel — not just a script kiddie repurposing old code.
Apple’s Response and What Mac Users Should Do
After confirming that a Developer Team ID was used to distribute malicious payloads, Jamf Threat Labs reported the incident to Apple. The company has not publicly commented on the matter yet.
For Mac users, the takeaway is clear: a signed and notarized app is no longer a guarantee of safety. The CrashStealer case shows that attackers are willing to jump through Apple’s hoops — obtaining legitimate developer credentials — to bypass Gatekeeper.
To stay protected, users should:
- Be wary of unexpected installer prompts, even if they look official.
- Check the developer name and certificate details before running any new software.
- Keep macOS and security software up to date.
- Use strong, unique passwords and a password manager — but be aware that even password managers are now in the crosshairs.
CrashStealer is a reminder that no platform is immune. As macOS grows in popularity, so does the attention it gets from malware authors. The days of “Macs don’t get viruses” are long gone — if they ever really existed.