A newly uncovered macOS malware campaign is exploiting Apple’s notarization system to distribute malicious software that evades the company’s primary security safeguard, Gatekeeper, without triggering user warnings. Cybersecurity researchers have identified multiple strains—including CrashStealer and Odyssey Stealer—that impersonate legitimate Apple tools to steal passwords, cryptocurrency wallet credentials, and system data from users across more than 100 countries.
What Happened
Security firms The Hacker News, BleepingComputer, and CyberSecurityNews reported this week that CrashStealer is being distributed through a notarized dropper—a malicious installer that has been falsely authenticated by Apple’s notarization service. Notarization is a process in which Apple scans software for known malware and approves it for distribution, allowing it to bypass Gatekeeper, the macOS security feature that blocks untrusted applications from running unless explicitly overridden by the user.
In this case, the malware was notarized by Apple, meaning it passed the company’s automated security checks and was granted a digital signature that macOS recognizes as legitimate. As a result, when users download and run the installer, Gatekeeper does not display its usual warning dialog, allowing the malware to execute silently. According to Forbes, this marks the first documented instance of a password-stealing malware bypassing Gatekeeper without any user notification.
Once installed, CrashStealer operates as a data exfiltration tool, harvesting saved passwords, browser cookies, system credentials, and cryptocurrency wallet information. A related threat, Odyssey Stealer, has been observed targeting over 300 crypto wallet browser extensions, including MetaMask, Trust Wallet, and Phantom, across macOS systems in more than 100 countries, according to CyberSecurityNews.
Why It Matters
The incident raises serious questions about the reliability of Apple’s notarization system and the effectiveness of Gatekeeper as a first line of defense. Notarization was introduced in macOS 10.15 (Catalina) as a way to reduce the risk of malware by requiring developers to submit their software for automated security review before distribution. While the system is not foolproof—Apple has previously revoked notarization for malicious apps—this is the first known case of a password-stealing malware being notarized and deployed at scale without detection.
The attack also highlights a growing trend of supply-chain-style malware distribution on macOS, where attackers compromise legitimate-looking installers to gain access to sensitive data. Unlike traditional phishing or drive-by download attacks, this method exploits trust in Apple’s own security infrastructure, making it harder for users to detect.
For cryptocurrency users, the threat is particularly acute. Odyssey Stealer’s focus on wallet extensions suggests a financially motivated campaign targeting individuals with significant digital asset holdings. With over 300 extensions in its crosshairs, the malware could enable large-scale theft of private keys and seed phrases, potentially leading to irreversible financial losses.
Background and Context
Apple has long marketed macOS as a more secure alternative to Windows, citing its Unix-based architecture, sandboxing, and Gatekeeper as key defenses against malware. While macOS malware has historically been less common than Windows malware, the platform has seen a steady increase in sophisticated threats over the past five years, driven by the growing popularity of Macs among developers, financial professionals, and cryptocurrency users.
Notarization was introduced in 2019 as part of Apple’s effort to tighten security without requiring all software to be distributed through the Mac App Store. Developers submit their apps to Apple for automated scanning; if no malware is detected, the app is notarized and can be distributed outside the App Store while still bypassing Gatekeeper warnings. Apple has revoked notarization for several malicious apps in the past, including Silver Sparrow in 2021 and XLoader in 2022, but the process is not real-time and relies on post-distribution detection.
This latest incident suggests that attackers are now actively testing and refining malware to pass Apple’s notarization checks, raising concerns about the long-term viability of the system as a security control.
Competing Claims and Uncertainty
Apple has not publicly acknowledged the issue or issued a security update to revoke the notarization of the malicious installers. In a statement to BleepingComputer, an Apple spokesperson declined to comment on the specifics of the malware but reiterated that users should only download software from trusted sources, such as the Mac App Store or verified developers.
Cybersecurity researchers are divided on the root cause of the bypass. Some, including analysts at The Hacker News, suggest that the attackers may have exploited a flaw in Apple’s notarization pipeline, possibly by submitting a benign version of the app for approval and later swapping in malicious code. Others, such as researchers at Jamf, a macOS security firm, argue that the malware may have been obfuscated or packed in a way that evaded Apple’s automated scans, which are known to focus on known malware signatures rather than behavioral analysis.
There is also uncertainty about the scale of the infection. While CyberSecurityNews reports that Odyssey Stealer has affected users in over 100 countries, no independent verification of these numbers has been provided. The lack of telemetry data from Apple or major antivirus vendors makes it difficult to assess the true reach of the campaign.
What to Watch Next
1. Apple’s Response: Security experts are closely monitoring whether Apple will revoke the notarization of the malicious installers and release a macOS update to strengthen Gatekeeper’s detection capabilities. A patch could include improved behavioral analysis or stricter validation of notarized apps.
2. Detection and Mitigation Tools: Antivirus vendors such as Malwarebytes, Intego, and Sophos are expected to update their macOS security products to detect CrashStealer and Odyssey Stealer. Users are advised to run scans with updated definitions.
3. Regulatory Scrutiny: The incident could draw attention from regulators, particularly in the European Union, where Apple is already under investigation for its App Store policies under the Digital Markets Act (DMA). While the DMA does not directly address malware, the bypass of Gatekeeper could be cited as evidence of insufficient platform security.
4. Cryptocurrency Theft Trends: The targeting of crypto wallet extensions suggests a shift in macOS malware tactics. Analysts will be watching for similar campaigns targeting other high-value digital assets, such as NFTs or decentralized finance (DeFi) platforms.
5. Developer and Enterprise Impact: Organizations that rely on macOS for development or financial operations may need to reassess their security policies, particularly around software installation and endpoint protection.
Conclusion
The discovery of CrashStealer and Odyssey Stealer marks a significant escalation in macOS malware sophistication, exposing critical weaknesses in Apple’s notarization and Gatekeeper systems. While macOS remains a relatively secure platform, this incident underscores that no operating system is immune to targeted attacks, especially when attackers exploit trust in the platform’s own security mechanisms.
For users, the advice remains clear: verify the source of any software before installation, even if it appears to be notarized by Apple. Enabling XProtect, macOS’s built-in malware protection, and using reputable antivirus tools can provide an additional layer of defense. However, the ultimate responsibility lies with Apple to address the underlying vulnerabilities in its notarization process before more users fall victim to similar attacks.
As the threat landscape evolves, so too must Apple’s security infrastructure—particularly as macOS continues to gain traction among high-value targets in finance, technology, and cryptocurrency.
Story synopsis gathered from: Google News India – Technology — source.
Corrections
If you believe this article contains an error, contact Herald Express with the source URL and supporting evidence.
Story synopsis gathered from: Google News India – Technology — source.

