Nearly 30,000 Macs worldwide have been infected with mysterious malware, according to researchers at security firm Red Canary.
The issue was somewhat confounding to Red Canary researchers, who said it’s not clear what the malware’s goal is. In a blog post, the firm said it did not observe the malware delivering “malicious payloads” — essentially, harmful actions against a device.
The malware, which the company calls Silver Sparrow, does not “exhibit the behaviors that we’ve come to expect from the usual adware that so often targets macOS systems,” Tony Lambert, an intelligence analyst at Red Canary wrote.
Silver Sparrow includes a self-destruct mechanism that appears to have not been used, researchers said, adding that it’s unclear what would trigger that function. They are also uncertain of how the malware got onto infected computers, though they believe it may have been through malicious search results.
The researchers found that Silver Sparrow contains code that runs natively on Apple’s in-house M1 chip that was released in November, making only the second known malware to do so. However, this doesn’t necessarily raise red flags about the chip.
“New technology is going to be adopted by everybody — good guys, bad guys, everybody in between — it’s definitely something that’s going to happen,” Red Canary Intelligence Expert Tony Lambert said.
Though it’s unclear what the intent of the malware is, Red Canary said it decided to report the findings because its “forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat,” researchers wrote.
Researchers believe Silver Sparrow emerged and began infecting devices sometime last year.
Silver Sparrow infected 29,139 Macs in 153 countries as of February 17, with higher concentrations reported in the United States, United Kingdom, Canada, France and Germany, according to data from Malwarebytes, a website that blocks ransomware attacks. While that number seems large, it’s a small fraction of the millions of Macs in use around the world, though it’s possible there are infected devices not identified by researchers.
Apple revoked the developer certificates used by the malware, a company spokesperson said, which will prevent any future infections. Revoking the developer certificates also creates barriers for any existing malware infections to be able to take additional actions.
Red Canary detailed some “indicators of compromise” in its blog post. For the average consumer, Lambert said he recommends simply using a reputable anti-virus or anti-malware program as a backstop to the existing protections that Apple builds into the MacOS operating system, which are known for being strong.