Digital Blog
Cybersecurity

CrashStealer Mac malware steals passwords, crypto wallets

CrashStealer Mac malware poses as Apple’s crash reporter to steal browser passwords, Keychain entries and crypto-wallet data, Jamf says.

By Reza Khalil3 min read
A malware warning displayed on a laptop screen

A Mac infostealer called CrashStealer is masquerading as Apple’s crash reporter to ask for passwords and access to Keychain and cryptocurrency-wallet data, according to Jamf Threat Labs. Jamf said it first saw the malware in early May. The app is meant to look ordinary, not noisy.

In a 13 July advisory, the security company described CrashStealer as C++ malware distributed through a malicious DMG file. The fake alert copies the shape of a system crash report, then uses that familiar moment to push the user toward a password prompt. Jamf’s point is that the interface does part of the attacker’s work before any data is taken.

The target list gives the campaign its reach. Jamf said CrashStealer attempts to collect browser credentials, crypto-wallet information and Keychain entries. One approved request can expose saved logins, financial-tool access and other stored secrets from the same Mac.

This is not an Apple platform breach. Jamf’s finding is narrower: the malware borrows trust signals around signed and notarised software, then imitates a crash-reporting workflow closely enough to get a password from the person using the computer. The real Apple crash reporter has not been reported as compromised, which keeps the focus on download provenance rather than a single vulnerable service.

Why the fake prompt is effective

Crash alerts tend to appear when users are trying to reopen an app or get back to work. A newly opened DMG, a familiar-looking warning and a password box can feel like one routine sequence, particularly if the app has already cleared the first visual trust checks. That small timing advantage is enough for social engineering to become the main exploit.

The case also shows the limits of macOS signing and notarisation checks. They reduce risk and remove plenty of bad software before users see it, but they do not prove that a download came from a source the user intended to trust. Nor do they make every later credential prompt legitimate.

What Mac users and IT teams should do

For individual Mac users, the practical defence is to pause before entering an administrator password after opening newly downloaded software. A prompt that appears straight after launching an unexpected DMG, or one that asks for more access than the job seems to require, should be treated as suspicious. Closing the app and checking where the file came from is safer than clicking through to make the dialogue disappear.

Australian organisations with Mac fleets face the same problem at larger scale. Endpoint security can help identify suspicious DMG-based installs, but the campaign still depends on trust and timing. Staff need permission to question unexpected credential prompts, including on Macs that normally feel locked down.

CrashStealer does not appear to rely on a spectacular exploit. Jamf’s report points to a quieter pattern: blend into the operating system, ask at the right moment and let the user supply the access. The response is not panic about Apple itself, but stricter habits around downloads, prompts and the moments when macOS asks for trust.

appleCrashStealerJamf
Reza Khalil

Reza Khalil

Cybersecurity reporter covering breaches, threat intel, and the ACSC beat. Former incident responder. Reports from Canberra.

Related