CrashStealer on macOS: a fake crash report asks for the Mac password

CrashStealer malware targets Mac passwords with a fake crash report
© RusPhotoBank

Researchers at Jamf Threat Labs have uncovered new malware for macOS that disguises itself as a system application crash report. Called CrashStealer, it uses a fake crash window to trick users into entering their Mac password.

If the password is entered, CrashStealer can access a wide range of personal data. Password managers, cryptocurrency wallets and other sensitive information stored on the device may all be exposed. According to Jamf, the first CrashStealer samples were tracked in early May, and by early July there were signs that the malware was already being used in real-world attacks.

CrashStealer was distributed through a disk image named Werkbit Setup. It contained the Werkbit.app application, whose executable was called veltod. The scheme was particularly dangerous because, at an early stage, the DMG and the app had a valid Apple Developer ID signature and notarization, allowing Gatekeeper to let them through on first launch.

According to Macworld, Apple has already revoked the developer credentials, so Gatekeeper should recognize this version of the threat. Caution is still warranted, however: attackers can change the packaging, signatures and file names while keeping the same attack logic.

The main advice remains unchanged — download apps only from the Mac App Store or official websites of trusted developers. Unexpected crash reports and password prompts should also be treated with suspicion, especially when a window claims that “System Settings” wants to make changes.