Cybersecurity & Protection

CrashStealer: New macOS Malware Poses as Apple's CrashReporter

Jul 17, 2026 3 min read
All articles

Security researchers are warning about a new piece of macOS malware that disguises itself as Apple's CrashReporter. The security team at MDM specialist Jamf discovered it. The malware, named CrashStealer, is a classic infostealer: it targets sensitive data on the Mac, including credentials from many well-known password managers, the Apple keychain, and passwords and details from crypto wallets. A built-in routine also scans the Documents and Downloads folders for anything useful.

How the malware works

Technically, CrashStealer is clever about it. It encrypts the stolen files with AES-GCM and then sends them to a command-and-control server via libcurl. The pattern recalls known macOS infostealers such as Atomic. According to Jamf, though, the native C++ implementation and the client-side encryption make CrashStealer its own malware family.

The malware surfaced in a web-distributed app called Werkbit that presents itself as a meeting tool. It has nothing to do with the German business software of the same name. The fake Werkbit app initially carried a valid Apple certificate. Apple has since disabled the associated Developer Team ID after Jamf reported the case. Malware shipping with a legitimate developer ID is an unfortunately recurring problem, because it means no warning appears when the software runs.

On top of that, the installer tries to slip past Gatekeeper verification. Through social engineering, it nudges users into opening the app via right-click, a method Apple keeps making harder. That detour wasn't even necessary here, since the certificate was valid.

Fake CrashReporter demands admin rights

To reach the data, CrashStealer installs a fake CrashReporter app alongside it. The app mimics Apple's real tool, which normally appears when a program crashes. On first launch, the fake asks for full SSD access and an administrator password. Once granted, it accesses the keychain and the theft begins. Jamf describes the implementation as especially sneaky and harder to spot than typical infostealers. First signs circulated back in May, and Jamf still found active installations in July.

Little is known about the exact distribution channels. It's possible the app was meant for targeted attacks on specific people. The fake Werkbit required a meeting ID in the form of a PIN before installation. The flow might look like this: a victim receives a meeting invitation with a PIN and a prompt to download. After installation, the data theft starts.

If you use a Mac, install software only from sources you trust, and be suspicious the moment a supposed system app asks for full access and your administrator password.