Skip to main content

MacStealer malware grabs iCloud passwords, files, and credit card details

Security researchers have identified a new piece of Mac malware, which they’ve dubbed MacStealer. The malware extracts your iCloud passwords, a wide variety of files, and credit card details stored in browsers.

The good news, however, is that you’d have to be very naive to fall victim to it …


Macworld reports on the discovery.

Uptycs found that MacStealer can get passwords, cookies, and credit card data from Firefox, Google Chrome, and Microsoft Brave browsers. It can extract several different file types, including, .txt, .doc, .jpg, and .zip, and it can extract the KeyChain database. According to information Uptycs gathered from the dark web, MacStealer’s makers are working on the ability to harvest Safari passwords and cookies, as well as data in the Notes app.

Once run, the malware gathers the data, compresses it all into a single zip file, sends the file to the bad guys, and then deletes the file from your Mac.

The report says Apple doesn’t appear to have blocked it.

It’s unclear if MacStealer has been logged in the database that tracks vulnerabilities and exposures, and Apple has not commented on the malware. Apple released updates for macOS Big Sur, Monterey, and Ventura on Monday, but based on the security notes, those updates do not appear to include patches for MacStealer.

However, this type of attack doesn’t require Apple to update macOS to block it: such malware can be blocked by a simple update to X-Protect.

But the risk to tech-savvy users is very low

While the malware is powerful, it’s exceedingly unlikely that 9to5Mac readers would fall for it. First, it isn’t digitally signed, so will be blocked by Gatekeeper on most Macs.

Second, it appears to have been distributed via an app called Weed, with a marijuana icon. You would need to manually install and run the app, and then enter your Mac password to grant it access to System Settings for it to work.

However, it would be trivial to give the app a more convincing name and icon. Last month, for example, well-hidden cryptomining malware was found inside pirate copies of Final Cut Pro. You should of course only ever download apps from the Mac App Store or from trusted developer websites.

Malwarebytes recently published a 30-page report, which details the most common Mac malware. While the most common types are still adware – which hijack your browsers to replace ads with ones hosted by the attacker – more dangerous types do exist. The growing popularity of Macs in the enterprise sector has made them an increasingly popular malware target.

Photo: Remy_Loz/Unsplash

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel



Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear