iOS 26

iPhone

iPad

Apple Watch

AirPods

Apple Deals

Mac Owners Need to Know These 2 Warning Signs Before a Fake Apple App Quietly Steals Their Passwords and Personal Data

Gotechtor select and review products independently. When you purchase through our links, we may earn a commission. See our ethics statement.

A strain of Mac malware discovered by security researchers at Jamf Threat Labs has successfully bypassed Apple’s app verification system by disguising itself as a built-in macOS utility.

The malware, called CrashStealer, targets stored passwords, cryptocurrency wallets, and browser data, and it was found actively circulating in July 2026.

The delivery mechanism is what sets this apart from typical Mac threats. CrashStealer arrived bundled inside an app called Werkbit, which carried valid Apple notarization credentials.

Notarization is the process Apple uses to scan and approve software before it reaches users, and its presence is what allows an app to bypass Gatekeeper, the macOS security layer that blocks unverified software at launch.

What CrashStealer Actually Collects

Once installed, the malware deploys a fake version of CrashReporter, a legitimate Apple diagnostic tool that ships with every Mac. Because most users have seen real macOS crash reports, the interface looks credible.

The app requests full disk access under the pretense of system administration, then presents a native-looking password prompt. Whatever the user types is used to unlock the login keychain, where macOS stores saved credentials.

From there, CrashStealer searches the Documents and Downloads folders and scans for data across more than 80 cryptocurrency wallet browser extensions.

It also targets 14 password managers specifically, including 1Password, LastPass, and Dashlane. Collected data is encrypted and transmitted to a remote server controlled by the attacker.

Also: 7 ways Siri in iOS 27 finally fixes the frustrations that have annoyed iPhone users for more than a decade

How Apple Responded and What Still Applies

Jamf reported the malware to Apple after first detecting it in May. Apple has since revoked Werkbit’s signing credentials, disabling the specific distribution path that Jamf documented.

The original version also required a PIN to install, suggesting it was deployed against specific targets rather than distributed broadly.

Revoking credentials closes that channel, but the underlying technique remains viable. A similar app built on the same approach could surface with fresh credentials.

Jamf noted that the construction of CrashStealer showed deliberate effort to avoid detection, with concealment steps that go beyond what most infostealer malware bothers to include.

Also: Someone isn’t telling the truth about Apple’s explosive lawsuit against OpenAI, and the stakes just got much higher

Two Things That Should Stop Any Mac User

Apple’s crash reporting tool is part of macOS itself. It does not arrive as a separate download, and no legitimate software installer should deliver a file called CrashReporter.

Any app that does that is worth deleting immediately. Separately, an app that requests a system password the moment it opens, before doing anything else, is behaving in a way that standard software does not. Together, those two signals are a reliable indicator that something is wrong.

🍎 The only 5 Apple stories that matter — sent every Friday to 50K+ smart readers. You in?

Founder & Editor-in-Chief

Herby has a healthy obsession with all things Apple, especially the iPhone. He loves to rip things apart to see how they work. He is responsible for the editorial direction, strategy, and growth of Gotechtor.

Herby Jasmin

's latest stories

Leave a Comment

Be kind. Discriminatory language, personal attacks, promotion, and spam will be removed. Please read Gotechtor's Community Guidelines before participating.