CrashStealer Malware Targets Mac Users Through Fake App Prompts

Hack Featured

Security researchers have uncovered a new threat targeting Mac computers. A malicious program called “CrashStealer” is currently circulating online, and it is designed to look like a legitimate system tool to trick users into handing over their passwords. The malware is focused on stealing browser data, crypto wallet credentials, and passwords saved directly on your computer.

What makes this attack especially dangerous is that the initial download actually passed security checks from Apple and received official notarization. Apple has since revoked the developer credentials, but the campaign highlights how attackers are getting better at sneaking past standard security gates.

Attackers use a fake meeting app to deliver the payload

The attack typically starts with a fake collaboration or meeting app called “Werkbit.” Scammers place this download behind a specific meeting PIN, meaning they are likely targeting specific victims directly rather than blasting the link across the public internet.

Once a user downloads and opens the Werkbit app, it quietly reaches out to a remote server and downloads the actual CrashStealer malware in the background. The malware then disguises itself as “CrashReporter,” a name chosen to mimic an official macOS crash reporting tool that most users would ignore.

The malware uses fake password prompts to unlock your data

Once installed on your system, CrashStealer generates a pop-up window that looks exactly like a standard Mac authorization prompt. It asks you to enter your system password to grant access for “system administration.”

If you enter your password, the malware validates it immediately. It then uses your confirmed password to unlock your Mac login keychain. CrashStealer rapidly copies your saved passwords from browsers, password managers, and crypto extensions. It bundles all this data into an encrypted ZIP file and sends it back to the attackers. The malware also sets itself to run automatically every time you log in, so the threat stays active even if you restart your computer.

If you suspect you have downloaded a suspicious meeting app or entered your password into an unexpected prompt, security experts recommend disconnecting from the internet, changing all major passwords from a safe device, and completely erasing your Mac to perform a clean install.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.