JAKARTA - Mac computer users are urged to be on the lookout after cybersecurity researchers discovered a new malware called CrashStealer that masquerades as an official Apple utility. The malware is designed to steal various sensitive data, ranging from passwords, browser data, to crypto asset wallets.
This finding was revealed by Jamf Threat Labs, which found CrashStealer actively spreading through a fake app called Werkbit.
What makes this threat even more dangerous, the malware managed to escape Apple's notarization security mechanism so that it was not immediately blocked by Gatekeeper, the built-in security system of macOS that usually prevents malicious applications from being run.
CrashStealer works by masquerading as CrashReporter.app, an application whose appearance is made to resemble the built-in macOS crash reporting system. Because the appearance is very convincing, many users will likely think that the application is an official component of Apple. In fact, the original Crash Reporter feature is already part of macOS and does not need to be downloaded separately.
When run, the fake application requests Full Disk Access permission with the excuse of system administration. After that, the malware displays a password request dialog box whose appearance is almost identical to the official macOS authentication window.
If the user enters the administrator password, CrashStealer immediately uses it to access Login Keychain, where macOS stores various important credentials.
Target Password to Crypto Wallet
According to Jamf Threat Labs, CrashStealer is designed to collect various types of sensitive data, including:
browser data,
information from Keychain Login,
password manager data,
file in the Documents folder,
file in the Downloads folder,
extension of cryptocurrency wallet.
This malware is capable of targeting more than 80 crypto wallet extensions as well as at least 14 password manager applications.
Some of the password managers that were targeted include:
1Password,
LastPass,
Dashlane.
All the data that was successfully collected was then encrypted using the AES-256-GCM algorithm through Apple's CommonCrypto framework before being sent to the perpetrator's server.
Bypassing Apple's Security System
One of the most worrying things is CrashStealer's ability to bypass Apple's notarization process. Notarization is a security mechanism that Apple uses to check if an application contains malicious code before it is allowed to run on macOS.
However, in this case, the Werkbit application had obtained a notarized status so that Gatekeeper considered it a safe application.
Jamf assesses that the implementation of CrashStealer shows a higher level of sophistication than data theft malware in general because it is able to disguise its activities very neatly.
Apple Has Closed the Attack Path
Jamf first discovered CrashStealer in May 2026 and again detected the malware being actively used in July.
After receiving the report, Apple revoked the signing credentials of the Werkbit application so that the distribution path found by the researcher has now been disabled.
However, researchers warn that perpetrators may use other methods to spread similar malware in the future.
Interestingly, the initial version of CrashStealer can only be installed using a special PIN. This indicates that this malware is likely to be used in attacks targeting specific individuals or groups, rather than mass deployment.
How to Protect Yourself
Jamf urges Mac users to be more careful when downloading apps from the internet.
Some of the recommended steps include:
don't download an app that claims to be CrashReporter because the feature is already available natively on macOS;
be wary of applications that immediately ask for administrator passwords when they are first opened;
download apps only from trusted sources;
always update macOS to the latest version to get the latest security protection.
The CrashStealer case shows that even modern security systems are not always able to stop all threats. Increasingly sophisticated camouflage techniques make users the most important layer of defense. Therefore, checking the origin of an application before installing it and not carelessly granting access permissions or entering the administrator password is a simple step that can prevent the theft of important data and digital assets.
The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by DigitalSiber.id)