CrashStealer malware abuses signed apps and fake crash-reporting prompts on macOS
CrashStealer is a new macOS infostealer that disguises itself as Apple's crash-reporting tool and uses signed or notarized components to get past Gatekeeper checks. The malware steals credentials, Keychain data, browser information, and cryptocurrency wallets, then encrypts the stolen information to make analysis harder. Researchers observed the sample in development in May and active use by early July, showing a quick transition from testing to real-world deployment. This matters because it demonstrates that macOS users can be targeted through trust in Apple's signing and notarization ecosystem rather than through obvious malicious binaries. The campaign also reflects how attackers are adapting commodity theft malware to Apple environments at higher quality. Defenders should treat signed installers and fake system utilities with the same skepticism they apply to Windows droppers.
Sources
- New macOS malware steals passwords by posing as Apple’s crash-reporting tool — Help Net Security
- CrashStealer: New macOS Infostealer Uses Signed Apps to Evade Gatekeeper — Security Affairs
- CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks — Lifeboat — Cybercrime & Malcode


Leave a Reply