Mysterious malware discovered on 30,000 new Macs - and researchers have no idea what it was designed to do

Despite the M1 chip only launching in November, malware is already being designed for it

Adam Smith
Monday 22 February 2021 22:00 GMT
Comments
(Apple)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Security researchers have discovered a piece of malware called Silver Sparrow on 30,000 Mac computers, including those with Apple’s latest M1 chips.

The malware, discovered and documented by Malwarebytes and Red Canary, “did not exhibit the behaviors that we’ve come to expect from the usual adware that so often targets macOS systems.”

Instead, spreading across 153 countries, the malware is designed to deliver a payload that the researchers have yet not discovered.

It also has a system in place to self-destruct - hiding its existence totally.

As Ars Technica reports, infected computers check a server every hour to see if there are any new commands from malicious individuals to execute.

The malware is even stranger due to the fact it uses the macOS Installer JavaScript API to execute commands, which makes it hard to analyse the contents of the package.

When the malware is executed, all that the researchers found were two messages: for computers using Intel chips, the malware displays the words “Hello World!”, while for M1 Macs it says “You did it!”

The researchers hypothesise that these are simply placeholders for a later execution.

“We’ve found that many macOS threats are distributed through malicious advertisements as single, self-contained installers in PKG or DMG form, masquerading as a legitimate application—such as Adobe Flash Player—or as updates”, the researchers describe.

Apple has already revoked the binaries that could be mean users accidentally install the malware. The malware does not seem to have delivered any malicious payload, and the company emphasises that using its own Mac App Store is the safest place to get software for its computers Mac.

For programs downloaded outside the store Apple does use technical technical mechanisms including as the Apple notary service detect and block malware.

“To me, the most notable [thing] is that it was found on almost 30K macOS endpoints... and these are only endpoints the MalwareBytes can see, so the number is likely way higher,” says Patrick Wardle, a macOS security expert, according to Ars Technica.

“That’s pretty widespread... and yet again shows the macOS malware is becoming ever more pervasive and commonplace, despite Apple’s best efforts.”

This is not the only malware discovered for the M1 Mac. Wardle also found the first instance of it last week - a worrying indication of how quickly harmful software is being developed for Macs.

The M1 Macs were developed in November last year, but many people erroneously think that Macs are inherently safer than Windows PCs.

That, unfortunately, is not true. While Windows machines still dominate market share, Apple computers have grown in popularity.

Between 2018 and 2019, there was a 400 per cent increase in Mac threats - twice the average of Windows computers.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in