If you have already bought an Apple M1 powered Mac computer, then you need to be aware that it is already not immune from viruses and malware. Security consultants have discovered that there is already malware out there, tuned to run on the Apple Arm-powered computers. We have the details…
AdWare Extension - GoSearch22
Independent Mac security consultant Patrick Wardle discovered a Safari Adware Extension GoSearch22, originally written for Intel-powered Macs has been reworked specifically for the M1 Macs. Patrick, who also develops open-source Mac security software, says…
“This shows that malware authors are evolving and adapting to keep up with Apple's latest hardware and software, as far as I know, this is the first time we've seen this.”
It turns out that Patrick is not alone as researchers from security company Red Canary told Wired that they are also investigating an example of native M1 malware that appears distinct from Patrick Wardle's findings.
Silver Sparrow - Malware with No Bite
Thomas Reed, who is a Mac security researcher with Malwarebytes confirms that the assessment that the adware was not very novel in itself and goes on to say…
“It definitely was inevitable—compiling for M1 can be as easy as flicking a switch in the project settings, and honestly, I’m not at all surprised by the fact that it happened in Pirrit first. That’s one of the most active Mac adware families, and one of the oldest, and they’re constantly changing to evade detection.”
The malware discovered by Red Canary has been given the name ‘Silver Sparrow’. Tony Lambert from Red Canary explains…
“Our investigation almost immediately revealed that this malware, whatever it was, did not exhibit the behaviours that we’ve come to expect from the usual adware that so often targets macOS systems. The novelty of this downloader arises primarily from the way it uses JavaScript for execution—something we hadn’t previously encountered in other macOS malware—and the emergence of a related binary compiled for Apple’s new M1 ARM64 architecture.”
According to data provided by Malwarebytes, as of February 17th, Silver Sparrow had infected 29,139 macOS computers across 153 countries, with significant clusters in the United States, the United Kingdom, Canada, France, and Germany.
But there is a curious element to Silver Sparrow, Red Canary’s Tom Lambert…
“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice.”
Malware Created By People With Valid Apple Developer IDs
What is interesting is that Patrick discovered that the adware was ‘signed’ on November 23rd 2020 with an Apple developer ID, which is a paid account that enables Apple to keep track of all Mac and iOS developers. It is not known if Apple notarized the code, but Patrick was unable to answer that question because Apple has since revoked the GoSearch22 certificate. What is known is that the Malware is more than a ‘proof-of-concept. Patrick explains…
“What we do know is as this binary was detected in the wild (and submitted by a user via an Objective-See tool) …so whether it was notarized or not, macOS users were infected. Looking at the (current) detection results (via the anti-virus engines on VirusTotal), it appears the
GoSearch22.app
is an instance of the prevalent, yet rather insidious, ‘Pirrit’ adware”
With regard to Silver Sparrow, Apple informed MacRumors that they have revoked the certificates of the developer accounts used to sign the packages, preventing additional Macs from being infected.
Joe Rossignol from MacRumors went on to say that…
“Apple also reiterated that Red Canary found no evidence to suggest the malware has delivered a malicious payload to Macs that have already been infected.
For software downloaded outside of the Mac App Store, Apple said it has mechanisms in place to protect users by detecting malware and blocking it so it cannot run. Since February 2020, for example, Apple has required all Mac software distributed with a Developer ID outside of the Mac App Store to be submitted to Apple's notary service, an automated system that scans for malicious content and code-signing issues.”
It seems that current tools are not detecting it as easily as the Intel version. Patrick Wardle says…
“Certain defensive tools like antivirus engines struggle to process this 'new' binary file format, they can easily detect the Intel-x86 version, but failed to detect the ARM-M1 version, even though the code is logically identical.”
Finding Silver Sparrow
Red Canary has included advice on looking for indications that your system could be infected with Silver Sparrow. These files are…
~/Library/._insu (empty file used to signal the malware to delete itself)
/tmp/agent.sh (shell script executed for installation callback)
/tmp/version.json (file downloaded from S3 to determine execution flow)
/tmp/version.plist (version.json converted into a property list)\
You can read much more about this in the Red Canary blog post but advanced Mac users can start looking for these files in Finder. If the locations o the above don’t make sense to you then we strongly recommend that you leave well alone.
Intego, the makers of Virus Barrier have produced a blog post “Silver Sparrow: 40,000 Macs Infected by Mysterious M1-native Malware” in which they explore the Silver Sparrow malware in much more detail. In this article they cover…
How does Silver Sparrow malware spread?
What potential harm can Silver Sparrow do to Macs?
Is Silver Sparrow really malware, or a mere proof of concept (PoC)?
Silver Sparrow is the second M1-native Mac malware discovered
Silver Sparrow is (at least) the sixth major Apple notarization failure
Silver Sparrow uses JavaScript during installation
Silver Sparrow has had wide distribution, but its goal is unknown
How can one remove or prevent Silver Sparrow and other threats?
Indicators of compromise (IoCs)
How can I learn more?
Let’s hope that the antivirus companies will be releasing improved software that will help Apple M1 users in the fight against viruses and malware.