I should be getting my M1 MacBook Pro any day now so it is with some concern that I have read about the latest malware threat - Silver Sparrow. This piece of malware has infected over 30,000 Macs worldwide.
In response, Apple has revoked the the certificates of the developer accounts used to sign the packages. In so doing, it prevents new macOS machines from being infected. An Apple Spokesperson was also keen to point out "there is no evidence to suggest the malware they identified has delivered a malicious payload to infected users."
While that is true, every Mac infected with Silver Sparrow communicates with a control server every hour to see if there's new commands to carry out. So far, none seem to have been issued. The researchers also discovered the malware includes the capability to remove itself from a system, meaning it could be used to execute a command then promptly disappear.
Red Canary detection engineers Wes Hurd and Jason Killam came across a strain of macOS malware using a LaunchAgent to establish persistence. Check out their detailed report here. Nothing new there. However, their investigation almost immediately revealed that this malware did not exhibit the expected behaviors from the usual adware that so often targets macOS systems. The novelty of this downloader arises primarily from the way it uses JavaScript for execution and the emergence of a related binary compiled for Apple’s new M1 chip.
While the virus doesn’t appear to have any malicious intent, Red Canary is warning users that the virus could have potentially been extremely harmful to the system due to its “chip compatibility, global reach, relatively high infection rate, and operational maturity.”
Silver Sparrow is not the first malware to attack Apple's M1 chip. Adware was discovered a couple weeks ago and that developers certificate was also revoked by Apple preventing additional Macs from being infected with either malware. Apple also reiterated that Red Canary found no evidence to suggest the malware has delivered a malicious payload to Macs that have already been infected.For software downloaded outside of the Mac App Store, Apple has industry-leading mechanisms in place to protect users by detecting malware and blocking it so it cannot run. Since February 2020 Apple has required all Mac software distributed with a Developer ID outside of the Mac App Store to be submitted to Apple's notary service, an automated system that scans for malicious content and code-signing issues.
While this is only an example of potential malware to attack the new M1 chip, Small Dog Electronics recommends that you install Malwarebytes for ongoing protection.