This site contains user submitted content, comments and opinions and is for informational purposes only. Apple may provide or recommend responses as a possible solution based on the information provided; every potential issue may involve several factors not detailed in the conversations captured in an electronic forum and Apple can therefore provide no guarantee as to the. A new family of Mac malware dubbed Silver Sparrow (detected by Intego and others as OSX/Slisp) has apparently infected at least 40,000 Macs, according to reports. It is also one of the first pieces of Mac malware that runs natively on Apple’s new M1 processors. These facts combined have propelled Silver Sparrow into the mainstream media. The researchers found that Silver Sparrow contains code that runs natively on Apple's in-house M1 chip that was released in November, making only the second known malware to do so. Among other things, the iPhone malware is capable of stealing all keychains, photos, SMS messages, email messages, contacts, notes, and recordings. It can also retrieve the full call history, and is capable of doing real-time monitoring of the device location.

A previously undetected piece of malware found on almost 30,000 Macs worldwide is generating intrigue in security circles, and security researchers are still trying to understand precisely what it does and what purpose its self-destruct capability serves.

Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute. So far, however, researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware’s ultimate goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.

Also curious, the malware comes with a mechanism to completely remove itself, a capability that’s typically reserved for high-stealth operations. So far, though, there are no signs the self-destruct feature has been used, raising the question of why the mechanism exists.

Besides those questions, the malware is notable for a version that runs natively on the M1 chip that Apple introduced in November, making it only the second known piece of macOS malware to do so. The malicious binary is more mysterious still because it uses the macOS Installer JavaScript API to execute commands. That makes it hard to analyze installation package contents or the way that package uses the JavaScript commands.

The malware has been found in 153 countries with detections concentrated in the US, UK, Canada, France, and Germany. Its use of Amazon Web Services and the Akamai content delivery network ensures the command infrastructure works reliably and also makes blocking the servers harder. Researchers from Red Canary, the security firm that discovered the malware, are calling the malware Silver Sparrow.

Advertisement

Reasonably serious threat

“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice,” Red Canary researchers wrote in a blog post published on Friday. “Given these causes for concern, in the spirit of transparency, we wanted to share everything we know with the broader infosec industry sooner rather than later.”

Silver Sparrow comes in two versions—one with a binary in mach-object format compiled for Intel x86_64 processors and the other Mach-O binary for the M1. The image below offers a high-level overview of the two versions:

So far, researchers haven’t seen either binary do much of anything, prompting the researchers to refer to them as “bystander binaries.” Curiously, when executed, the x86_64 binary displays the words “Hello World!” while the M1 binary reads “You did it!” The researchers suspect the files are placeholders to give the installer something to distribute content outside the JavaScript execution. Apple has revoked the developer certificate for both bystander binary files.

Silver Sparrow is only the second piece of malware to contain code that runs natively on Apple’s new M1 chip. An adware sample reported earlier this week was the first. Native M1 code runs with greater speed and reliability on the new platform than x86_64 code does because the former doesn’t have to be translated before being executed. Many developers of legitimate macOS apps still haven’t completed the process of recompiling their code for the M1. Silver Sparrow’s M1 version suggests its developers are ahead of the curve.

Once installed, Silver Sparrow searches for the URL the installer package was downloaded from, most likely so the malware operators will know which distribution channels are most successful. In that regard, Silver Sparrow resembles previously seen macOS adware. It remains unclear precisely how or where the malware is being distributed or how it gets installed. The URL check, though, suggests that malicious search results may be at least one distribution channel, in which case, the installers would likely pose as legitimate apps.

Advertisement

An Apple spokesperson provided a comment on the condition they not be named and the comment not be quoted. The statement said that after finding the malware, Apple revoked the developer certificates. Apple also noted there's no evidence of a malicious payload being delivered. Last, the company said it provides a variety of hardware and software protections and software updates and that the Mac App Store is the safest venue to obtain macOS software.

Among the most impressive things about Silver Sparrow is the number of Macs it has infected. Red Canary researchers worked with their counterparts at Malwarebytes, with the latter group finding Silver Sparrow installed on 29,139 macOS endpoints as of Wednesday. That’s a significant achievement.

“To me, the most notable [thing] is that it was found on almost 30K macOS endpoints... and these are only endpoints the MalwareBytes can see, so the number is likely way higher,” Patrick Wardle, a macOS security expert, wrote in an Internet message. “That’s pretty widespread... and yet again shows the macOS malware is becoming ever more pervasive and commonplace, despite Apple’s best efforts.”

For those who want to check if their Mac has been infected, Red Canary provides indicators of compromise at the end of its report.

A phishing scam has targeted Mac users by redirecting them from legitimate websites to fake websites which tell them that their computer is infected with a virus. The user is then offered Mac Defender 'anti-virus' software to solve the issue.
This “anti-virus” software is malware (i.e. malicious software). Its ultimate goal is to get the user's credit card information which may be used for fraudulent purposes.
The most common names for this malware are MacDefender, MacProtector and MacSecurity.

Apple released a free software update (Security Update 2011-003) that will automatically find and remove Mac Defender malware and its known variants.
The Resolution section below also provides step-by-step instructions on how to avoid or manually remove this malware.

Resolution

How to avoid installing this malware

If any notifications about viruses or security software appear, quit Safari or any other browser that you are using. If a normal attempt at quitting the browser doesn’t work, then Force Quit the browser.

In some cases, your browser may automatically download and launch the installer for this malicious software. If this happens, cancel the installation process; do not enter your administrator password. Delete the installer immediately using the steps below.

1. Go into the Downloads folder, or your preferred download location.
2. Drag the installer to the Trash.
3. Empty the Trash.

How to remove this malware

If the malware has been installed, we recommend the following actions:

• Do not provide your credit card information under any circumstances.
• Use the Removal Steps below.

Removal steps

1. Move or close the Scan Window.
2. Go to the Utilities folder in the Applications folder and launch Activity Monitor.
3. Choose All Processes from the pop up menu in the upper right corner of the window.
4. Under the Process Name column, look for the name of the app and click to select it; common app names include: MacDefender, MacSecurity or MacProtector.
5. Click the Quit Process button in the upper left corner of the window and select Quit.
6. Quit Activity Monitor application.
7. Open the Applications folder.
8. Locate the app ex. MacDefender, MacSecurity, MacProtector or other name.
9. Drag to Trash, and empty Trash.

Apple Malwarebytes

Malware also installs a login item in your account in System Preferences. Removal of the login item is not necessary, but you can remove it by following the steps below.

• Open System Preferences, select Accounts, then Login Items
• Select the name of the app you removed in the steps above ex. MacDefender, MacSecurity, MacProtector
• Click the minus button

Use the steps in the “How to avoid installing this malware” section above to remove the installer from the download location.

Apple Malware Protection

Note: Apple provides security updates for the Mac exclusively through Software Update and the Apple Support Downloads site. User should exercise caution any time they are asked to enter sensitive personal information online.