A newly discovered malware campaign is going after Apple users through a fake meeting app called Werkbit that, on the surface, looked completely legitimate. The malware behind it, known as CrashStealer, is capable of pulling saved passwords, browser credentials, cryptocurrency wallet data and a fair bit of other sensitive information straight off infected Macs.Researchers at Jamf Threat Labs say the attackers actually managed to abuse Apple's own Developer ID and notarization system to make the malicious app look trustworthy, at least until Apple caught on and revoked the certificate behind it.About The AuthorHey there, i am a technology enthusiast with a deep passion for gadgets, consumer electronics, emerging technologies, and the fast-paced world of digital innovation. Constantly exploring the latest tech trends, product launches, and industry developments, I enjoy translating complex technological advancements into engaging and accessible stories for readers. My interests span smartphones, wearables, artificial intelligence, smart devices, and the broader technology ecosystem. As I begin my journey as a Tech Journalist at Gadgets Now, I am excited to contribute to a platform that informs millions of readers, combining my passion for technology with storytelling to deliver insightful, accurate, and timely tech coverage.According to Macworld, what made this particularly sneaky is that the malware initially showed up disguised as a trusted app, complete with a valid Apple Developer ID and proper notarization, which let it slide right past the usual security warnings people would normally see.Researchers over at Jamf Threat Labs, who first caught onto this campaign, said the malware was still being built out in May before it actually went live and became active in early July. Apple has since pulled the developer credentials tied to the malicious app to cut off its distribution.CrashStealer Malware Can Harvest Passwords, Browser Data and Crypto WalletsAt its core, CrashStealer is built to steal information, and it's specifically designed to pull valuable data off infected Macs. Per Macworld, once it's installed, the malware goes after browser data stored in Chrome, Brave, Edge, Opera, Vivaldi and a handful of other Chromium based browsers. It also digs around for credentials saved in password managers like 1Password, Bitwarden, Dashlane, LastPass and Keeper.On top of that, the malware tries to pull information from cryptocurrency wallets too, MetaMask, Phantom, Coinbase Wallet and Exodus are all targets. Researchers noted that once it's gathered all this sensitive info, CrashStealer sends it straight off to attackers, which puts victims at real risk of identity theft, financial fraud, and unauthorized access to their online accounts.Fake Meeting App and Apple-Like Prompts Used to Fool VictimsAccording to Jamf Threat Labs, attackers spread CrashStealer through what looked like a legitimate meeting app called Werkbit, and it seemed genuine enough since it actually carried a valid Apple Developer ID and notarization during the campaign.According to a Macworld report, after a person installed and opened the application, the program then secretly downloaded another package that is known as CrashReporter. dmg, a file that contained a bogus CrashReporter application.More articles by AuthorTrending StoriesThis package looked nearly the same to Apple's authentic crash reporting application. Then the fake, but incredibly well-made password prompt, which is something like the real system dialog for when an application tries to make changes in the System Preferences, made people feel as though they are required to do something about this message by typing in their password, without giving any attention to security.How to Protect Yourself from CrashStealer: A Step-by-Step Safety GuideThere's some good news here though, following a few basic cybersecurity habits can seriously cut down your risk of getting hit by something like this.Step 1: Stick to downloading apps from the Mac App Store or developer websites you actually trust.Step 2: Be wary of installing anything that shows up through a random meeting invite or an unfamiliar link.Step 3: Always double check any administrator password prompt carefully before you type anything in.Step 4: Keep macOS and your security updates current, don't let them sit around outdated.Step 5: Run solid endpoint security software that can actually catch malicious activity when it happens.Step 6: Turn on multi factor authentication for any accounts that really matter to you.According to Macworld, people should stay cautious even when an app looks completely legitimate, since attackers are increasingly leaning on trusted looking software specifically to slip past security checks.Discovery Highlights Evolving Threat Landscape for macOS UsersThis whole discovery is proof that Mac users really aren't as insulated from sophisticated malware as a lot of people assume. Apple's ecosystem has long had a reputation as the safer, more locked down platform, but it's clearly drawing more attention from cybercriminals chasing valuable personal and financial data these days.Macworld notes one reasonCrashStealer’s operation is so alarming is that the app came complete with Apple’s real notary and a legitimate developer’s certificate from the very beginning, giving it an aura of complete authenticity for any potential downloaders.Experts state that this campaign “exemplifies how the legitimate software distribution channel can be abused by the malicious actors until it is discovered.” And the campaign “also reflects the larger macro trend observed recently in which attackers are targeting cryptocurrency wallet information, password manager database files, and web browser credentials-precisely the high-value assets of interest in our digital age.”Jamf Threat Labs Tracked the Malware from Development to Active DeploymentAccording to Jamf Threat Labs, researchers first spotted suspicious samples of this malware back in early May, while it was still being developed. As they kept monitoring it, they watched it go fully operational by early July. Their technical investigation found that the whole campaign leaned on the Werkbit meeting app as its initial delivery method, before dropping that fake CrashReporter app onto victims' machines.The team dug into the malware's behavior, how it actually infected systems, and how it stuck around once installed, uncovering its attempts to grab browser info, password manager data and crypto wallet credentials along the way. Jamf then reported everything it found straight to Apple, which is what let the company actually take action against the malicious developer credentials tied to this whole campaign.Apple Revokes Developer Credentials to Limit Malware DistributionAccording to a report by Macworld, following a responsible disclosure by Jamf Threat Labs, Apple has revoked the Developer ID certificate for the malicious Werkbit application. Revoking this certificate means any new download of the application will be rejected from running because it is not marked as trustworthy, preventing new downloads from passing through macOS' Gatekeeper checks in the future. Cybersecurity professionals note Apple’s notarization system is designed to intercept and block malicious software after they are found out.However, they add malicious entities can still use legitimate software signatures to fly under the radar until discovered.Experts add this situation serves as a prime example that platform vendors and ordinary computer users alike must be actively watchful against the ongoing ingenuity of attackers’ social engineering ploys. FAQsIs CrashStealer a virus or malware affecting Mac computers?CrashStealer is a newly identified macOS information-stealing malware (infostealer) designed to extract sensitive data from infected devices, including saved passwords, browser information, password manager data and cryptocurrency wallet details.How do Mac users get infected with CrashStealer?Researchers found that CrashStealer was distributed through a fake meeting application called Werkbit. The app appeared legitimate because it used a valid Apple Developer ID and notarization, but it later downloaded a malicious CrashReporter application that attempted to trick users into providing administrator credentials.Can CrashStealer steal passwords and cryptocurrency wallet information?Yes. CrashStealer is designed to collect browser-stored credentials, password manager databases and data from various cryptocurrency wallets. Stolen information could potentially be used for account takeovers, identity theft or financial fraudend of article
New ‘Werkbit’ Meeting App Used to Spread CrashStealer Malware, Raising Fresh Security Concerns for Mac Users
Apple users faced a serious threat from a new malware operation involving a phony meeting application known as CrashStealer. This malicious software harvested sensitive passwords and cryptocurrency data from Macs. Attackers manipulated Apple's framework to disguise the app as trustworthy. Fortunately, Apple swiftly responded by revoking the developer’s credentials, effectively ceasing further app distribution.










