• 2 min read
Apple Pulled a Signed Mac App Tied to CrashStealer
Apple revoked Werkbit after researchers linked it to the CrashStealer malware for macOS, which stole passwords, browser data, and crypto wallets.

Image: iphones
Apple has revoked the signature for the Werkbit app after researchers linked it to CrashStealer malware on macOS. The malware posed as Apple’s built-in crash reporting service, asked for the system password and full disk access, then pulled data from browsers, password managers, and crypto wallets. Apple confirmed the malware was used in real-world attacks.
During an attack, CrashStealer collected information from browsers, 14 password managers, and more than 80 crypto wallet extensions. Targets included 1Password, LastPass, and Dashlane. It also searched the Downloads and Documents folders, where users often keep backup codes, seed phrases, scanned documents, and exported databases.
The infection chain was straightforward. Werkbit passed Apple’s checks and was signed, so it appeared legitimate in the system. After launch, it requested an administrator password and full disk access. It then accessed the macOS keychain, encrypted the stolen data using AES-256-GCM, and sent it to the attackers' server.
This is not the first time a macOS infostealer has hidden behind an “official” look. In 2023 and 2024, researchers also tracked campaigns involving Atomic macOS Stealer and Poseidon, both aimed at passwords, cookies, and cryptocurrency wallets. What makes the CrashStealer case more troubling is that the app had Apple approval, reinforcing a false sense of trust around developer signatures.

Recommended reading
In-toto secures software supply chains end to end
Apple has already revoked Werkbit’s certificate, and macOS should now block new installations of that specific app. But the underlying tactic remains intact: infostealer operators routinely rebuild droppers, change names, and try again to pass notarization. With the crypto market growing, interest in these attacks is also rising. Citing Chainalysis, the source notes that stolen crypto assets have amounted to billions of dollars in recent years, and access to a user’s browser and wallet remains one of the fastest routes to their money.
For Mac owners, the advice is familiar but useful: be cautious with apps outside the Mac App Store, especially if they ask for an administrator password and full disk access without a clear reason. If the CrashStealer campaign returns under a new name, the first indicators will likely show up in antivirus detections and XProtect updates in the coming weeks, not months.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via ITzine


