MacOS Notarization Failed to Block Credential-Stealing Malware

What You Need to Know
- Apple’s notarization process failed to detect credential-stealing malware before it reached users.
- CrashStealer malware disguised as collaboration app steals passwords, crypto wallets, and password manager data.
- Malware passed Apple’s automated security checks and received official notarization before credential revocation.
- Apple’s notarization was designed as automated scanning but marketed as meaningful security guarantee.
The most interesting angle the source is underplaying: Apple’s notarization process, often cited as a key security guarantee, did not stop this malware from reaching users. That is the real story.
Apple’s notarization process failed to catch a credential-stealing Mac malware before it reached real targets. Security researchers have identified a campaign distributing a program called CrashStealer, which was initially cleared by Apple’s automated security checks and received official notarization before the company revoked the developer credentials. The window between approval and revocation is exactly where the damage happens.
The malware is built to steal browser passwords, crypto wallet credentials, and data saved in password managers. It arrives disguised as a legitimate collaboration app and, once installed, impersonates a native macOS system process to stay hidden. The design is deliberate and patient.
How Apple’s Notarization Became the Attack’s First Credential
Apple introduced notarization as a layer of automated scanning that developers must pass before their software can run on macOS without triggering Gatekeeper warnings. The idea is that Apple’s systems check submitted apps for known malware signatures and policy violations, and apps that pass receive a cryptographic ticket that macOS verifies at launch. It was never designed as a guarantee of safety, but Apple’s own marketing has consistently presented it as a meaningful security barrier, which is why users tend to trust notarized software.
CrashStealer passed that check. Apple has since revoked the developer credentials involved, which means the app should now trigger a Gatekeeper warning on any Mac running a current OS with standard security settings. But revocation is reactive, not preventive, and any user who downloaded and ran the app during the active window received no warning at all.
A Fake Meeting App Designed for Targeted Victims
The delivery mechanism is a fake collaboration app called Werkbit. Access to the download is gated behind a specific meeting PIN, a detail that strongly suggests attackers are contacting individual targets directly rather than spreading the link broadly. This is not a spray-and-pray campaign.
Once Werkbit runs, it silently contacts a remote server and pulls down the CrashStealer payload in the background. The malware then installs itself under the name CrashReporter, borrowing the identity of an actual macOS process that reports application crashes. Most users who noticed a process by that name would assume it belonged to the operating system.
What the Malware Does Once It Has Your Password
The attack’s most effective moment is a fake system authorization prompt that appears after installation. It looks identical to the standard macOS dialog that asks for your password to approve a system-level action. If you type your password, the malware immediately validates it, then uses it to unlock your Mac’s login keychain, which stores saved passwords across browsers and apps.
From there, CrashStealer packages the stolen credentials into an encrypted ZIP file and sends it to the attackers. It also writes itself into your login items so it runs automatically on every restart, meaning the data collection continues even after a reboot. The combination of keychain access, persistence, and encrypted exfiltration is straightforward but thorough.
For most users, the practical exposure is low. The PIN-gated delivery suggests a targeted campaign, not a mass distribution effort, and Apple’s credential revocation means Gatekeeper should now block the known version of Werkbit on updated Macs. If you have not downloaded an unfamiliar meeting or collaboration app recently and have not entered your password into an unexpected prompt, you are almost certainly not affected.
If you have done either of those things and something felt off, the recommended steps are:
- Disconnect from the internet immediately to stop any ongoing data exfiltration
- Change passwords for email, banking, and crypto accounts from a separate, unaffected device
- Perform a full erase and clean reinstall of macOS rather than attempting to remove the malware manually
The broader lesson is about password prompts specifically. macOS does ask for your password to authorize system actions, but any prompt that appears unexpectedly, outside of an action you deliberately initiated, deserves a hard stop before you type anything. Legitimate macOS processes do not need your password to run a crash reporter.
0 Comments