2 min read

Apple Pulled a Signed Mac App Tied to CrashStealer

Apple revoked the Werkbit app after researchers linked it to the CrashStealer macOS malware, which stole passwords and crypto wallet data.

Image: iphones

Apple has revoked the signature for the Werkbit app after researchers linked it to the CrashStealer malware for macOS. The malware posed as Apple’s built-in crash reporting mechanism, asked users for a system password and full disk access, then extracted data from browsers, password managers, and crypto wallets. Apple has confirmed the malware was used in real-world attacks.

Information about the Werkbit.app application on macOS version 1.2.0
Information about the Werkbit.app application on macOS version 1.2.0

During an attack, CrashStealer collected information from browsers, 14 password managers, and more than 80 crypto wallet extensions. Targets included 1Password, LastPass, and Dashlane. It also searched the Downloads and Documents folders, where users often keep backup codes, seed phrases, document scans, and exported databases.

The infection chain was simple. Werkbit passed Apple’s checks and was signed, making it look legitimate in the system. Once launched, it requested an administrator password and full disk access. It then accessed the macOS keychain, encrypted stolen data with AES-256-GCM, and sent it to the attackers' server.

This is not the first time a macOS infostealer has hidden behind an “official” appearance. Researchers previously documented Atomic macOS Stealer and Poseidon campaigns in 2023 and 2024, both aimed at passwords, cookies, and cryptocurrency wallets. But the CrashStealer case stands out because the app had Apple’s approval, even though developer signing is only one security filter, not a guarantee of safety.

Recommended reading

Qantas avoids privacy probe after 5.7 million-record breach

Apple has already revoked Werkbit’s certificate, and macOS should now block new installations of that specific app. But the broader tactic remains active: infostealer operators routinely rebuild droppers, rename them, and try to pass notarization again. Against a rising crypto market, the incentive is obvious. Citing Chainalysis, the source notes that stolen crypto assets in recent years have consistently been measured in billions of dollars.

For Mac users, the advice is familiar but still useful: be especially careful with apps installed outside the Mac App Store, particularly if they ask for an administrator password and full disk access without a clear reason. If the CrashStealer campaign resurfaces under a new name, the first signs are likely to appear in antivirus detections and XProtect updates within the next weeks, not months.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via ITzine

// Keep reading