The Next Message About Your Mac Crashing Might Be Malware.

If you’re a Mac user, beware of any system prompts that require you to enter credentials to send reports to Apple. A new malware, dubbed CrashStealer, disguises itself as a legitimate crash reporting tool, stealing data from your keychain, local files, and data from browsers, password managers, and cryptocurrency wallets.
CrashStealer impersonates Apple on macOS
This macOS malware, discovered by Jamf , appears to be a legitimate app. It’s called “CrashReporter.app,” uses a recognizable icon and metadata, and is distributed via a dropper signed and verified by Apple. Users can download the installer from a fake website advertising the “Werkbit” meeting platform, requiring a PIN for access. Installation then proceeds similarly to installing any other legitimate app, as the campaign uses social engineering techniques to trick users into installing the malware directly on their devices. As BleepingComputer describes , its technical configuration allows it to evade detection by macOS antivirus tools.
Are you an Apple fan or interested in the company’s product announcements? Lifehacker is running “The Big Guessing Game”—a free contest asking readers to guess what Apple might announce this year. The game is currently in its second round, and you can enter by following this link .
When the malware launches, it mimics Apple’s Crash Tracking Service, displaying a prompt that appears to be identical to a macOS authorization request for changes to system preferences. Users are prompted to enter their password to allow these changes, and the malware verifies the credentials locally. If the password is incorrect, the prompt is repeated until the correct credentials are provided. With the system password, attackers can unlock the user’s keychain and all encrypted data within, such as Wi-Fi and app passwords, certificates, and tokens. CrashStealer also appears to target other data on users’ devices, including:
-
Files from the Documents and Downloads folders.
-
Credentials and cookies from Firefox and Chromium browsers.
-
14 password managers, including popular apps like 1Password, Bitwarden, LastPass, Dashlane, NordPass, and Keeper.
-
80 extensions for cryptocurrency wallets.
The malware is capable of encrypting stolen data, placing it in a hidden ZIP archive, and uploading it to the attackers’ servers.
How to protect your Mac from CrashStealer
It’s unclear exactly how attackers are distributing this particular malware, but be careful when downloading and installing apps on your device, as attackers are capable of conducting highly sophisticated campaigns that arouse little or no suspicion. If you’re not 100% sure of the origin or legitimacy of an app or software, don’t install it. If you’re concerned about malware running on your device, please use my guide on detecting and removing it .
You should also be wary of system processes that require login credentials to run—an action many of us often perform without thinking. Regarding CrashStealer, it’s important to know that crash reports and diagnostic data sent to Apple don’t require a password. You may be asked if you want to provide this information, but you won’t be required to confirm it in any way.