M1 Macs Targeted by Additional Malware, Exact Threat Remains a Mystery

The second known piece of malware that has been compiled to run natively on M1 Macs has been discovered by security firm Red Canary.

m1 mac mini screen
Given the name "Silver Sparrow," the malicious package is said to leverage the macOS Installer JavaScript API to execute suspicious commands. After observing the malware for over a week, however, neither Red Canary nor its research partners observed a final payload, so the exact threat that the malware poses remains a mystery.

Nevertheless, Red Canary said the malware could be "a reasonably serious threat":

Though we haven't observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment's notice.

According to data provided by Malwarebytes, "Silver Sparrow" had infected 29,139 macOS systems across 153 countries as of February 17, including "high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany." Red Canary did not specify how many of these systems were M1 Macs, if any.

Given that the "Silver Sparrow" binaries "don't seem to do all that much" yet, Red Canary referred to them as "bystander binaries." When executed on Intel-based Macs, the malicious package simply shows a blank window with a "Hello, World!" message, while the Apple silicon binary leads to a red window that says "You did it!"

you did it silver sparrow
Red Canary shared methods for detecting a wide array of macOS threats, but the steps are not specific to detecting "Silver Sparrow":

- Look for a process that appears to be PlistBuddy executing in conjunction with a command line containing the following: LaunchAgents and RunAtLoad and true. This analytic helps us find multiple macOS malware families establishing LaunchAgent persistence.
- Look for a process that appears to be sqlite3 executing in conjunction with a
command line that contains: LSQuarantine. This analytic helps us find multiple macOS malware families manipulating or searching metadata for downloaded files.
- Look for a process that appears to be curl executing in conjunction with a command line that contains: s3.amazonaws.com. This analytic helps us find multiple macOS malware families using S3 buckets for distribution.

The first piece of malware capable of running natively on M1 Macs was discovered just days ago. Technical details about this second piece of malware can be found in Red Canary's blog post, and Ars Technica has a good explainer as well.

Popular Stories

2007 iPhone

Apple Discontinuing This 18-Year-Old iPhone Feature

Saturday February 8, 2025 3:51 pm PST by
The end of an 18-year era is on the horizon for the iPhone. Apple reportedly plans to announce a new iPhone SE as soon as next week, and the device is expected to feature a full-screen design with Face ID, instead of a Touch ID home button. That means Apple will no longer sell any new iPhone models with a home button, for the first time since the original iPhone launched. The home button...
oppo find n5 fingers

World's Thinnest Foldable Phone Launches Next Week

Monday February 10, 2025 3:05 am PST by
Oppo has confirmed a February 20 global launch for its Find N5, which the company claims is the world's thinnest device in the foldable phone category. The phone is expected to be re-branded as the OnePlus Open 2 in the US. The Chinese vendor has been teasing the device in the last few weeks, touting its waterproofing and nearly invisible display crease, and highlighting its thinness by compa...
m2 macbook air blue

M4 MacBook Air Release Continues to Appear Imminent

Monday February 10, 2025 10:56 am PST by
There continue to be signs of a new MacBook Air with an M4 chip, indicating that we could see the machine launch in the not too distant future. A private account on X today shared the identifiers that the MacBook Air will use, and those identifiers correspond to the M4 chip. According to the source, both the 13-inch MacBook Air and the 15-inch MacBook Air will be equipped with Apple's...
iPhone SE 4 Thumb 1

'New' iPhone SE Product Listing Appears on French Website

Wednesday February 12, 2025 6:49 am PST by
As the wait continues for Apple's long-rumored, fourth-generation iPhone SE, French electronics retailer Boulanger has prematurely published a product listing for a "new" model of the iPhone SE. The placeholder page says the device is "coming soon," but it offers no further information, and the price shown is obviously not real. The listing was spotted by a reader of the French technology...
watchOS 11 Thumb 2 1

Apple Releases watchOS 11.3.1

Monday February 10, 2025 10:04 am PST by
Apple today released watchOS 11.3.1, a minor update to the operating system that runs on the Apple Watch. watchOS 11.3.1 is compatible with the Apple Watch Series 6 and later, all Apple Watch Ultra models, and the Apple Watch SE 2. watchOS 11.3.1 can be downloaded by opening up the Apple Watch app and going to General > Software Update. To install the new software, the Apple Watch needs to...
sequoia

Apple Releases macOS Sequoia 15.3.1

Monday February 10, 2025 10:11 am PST by
Apple today released macOS Sequoia 15.3.1, a minor update to the macOS Sequoia operating system that came out last September. macOS 15.3.1 comes a few weeks after the launch of macOS Sequoia 15.3. Mac users can download the ‌‌‌macOS Sequoia‌‌‌ update through the Software Update section of System Settings. Apple has also released macOS 13.7.4 and macOS 14.7.4 for those who are...
Powerbeats Pro 2 Orange

Powerbeats Pro 2 Given to Customer Early, Expected to Debut Tomorrow

Monday February 10, 2025 7:42 am PST by
Apple's long-awaited Powerbeats Pro 2 are finally expected to be announced this Tuesday. Ahead of time, one lucky Walmart customer was able to get their hands on the earbuds early, according to a since-deleted Reddit post over the weekend. A leaked image of the Powerbeats Pro 2 in Electric Orange "My local Walmart had them in the cage," the Reddit user explained. "I asked if I can buy them...
iOS 18

Apple Releases iOS 18.3.1 With Bug Fixes

Monday February 10, 2025 10:09 am PST by
Apple today released iOS 18.3.1 and iPadOS 18.3.1, minor updates for the iOS 18 and iPadOS 18 operating systems that came out last September. iOS 18.3.1 comes two weeks after Apple released iOS 18.3. The new software can be downloaded on eligible iPhones and iPads over-the-air by going to Settings > General > Software Update. Apple has also released iPadOS 17.7.5 for those still running...
apple silicon mac lineup 2024 feature purple

Apple Increases Mac Trade-In Values for a Limited Time

Sunday February 9, 2025 3:53 pm PST by
Apple today increased its estimated trade-in values for select Mac models in the United States, with the full changes outlined below. Apple says the extra trade-in credit for select Macs is available with the purchase of an eligible new Apple device through April 2. The trade-in values increased by between $10 and $50. Model New Value Old Value MacBook Pro Up to $925 ...

Top Rated Comments

Vol Braakzakje Avatar
52 months ago
it’s Intel that tries to get people afraid to buy M1s
Score: 22 Votes (Like | Disagree)
chachawpi Avatar
52 months ago

Nothing more than fear mongering. These are just existing Mac malware/adware exploits that are being ported to run on ARM. So, what? What would you expect? All this crap comes from Windows/x86/PCs to begin with. And then MR gives is front page status? It's the same stuff that ALREADY EXISTS on other Macs and Windows PCs, for crying out loud! Click bait. Boo.
If security researchers say it's a big deal, it's a big deal. Why so defensive anyway?
Score: 14 Votes (Like | Disagree)
Joniz Avatar
52 months ago

Nothing more than fear mongering. These are just existing Mac malware/adware exploits that are being ported to run on ARM. So, what? What would you expect? All this crap comes from Windows/x86/PCs to begin with. And then MR gives is front page status? It's the same stuff that ALREADY EXISTS on other Macs and Windows PCs, for crying out loud! Click bait. Boo.
Because it’s nice to hear that more developers are porting to Apple Silicon.

It’s a feel-good article.
Score: 14 Votes (Like | Disagree)
CmdrLaForge Avatar
52 months ago
Ok, how does this article help in avoiding the threat or detecting it. How does one get infected?
Score: 10 Votes (Like | Disagree)
Populus Avatar
52 months ago
Well, color me concerned.

Is this threat capable of infecting without our consent? (This is, allowing privileges when it tries to install itself). You know, requiring us to put the system password when required. Because otherwise, we should be safe just installing only from well known sources. Or Open Source software.

By the way thank you MacRumors (@Joe Rossignol, @arn) for letting us know about this issues. Just like on other issues like staingate and the butterflykeyboardgate, It is great that you report all this problems even if some people don’t like to hear about them.
Score: 9 Votes (Like | Disagree)
Populus Avatar
52 months ago

Thank you! I will not be buying anything that says M1 or M1x for at least 2 years.
Actually -and anyone who thinks I am wrong, please correct me- I think this threat is the same for Intel and M1 macs. It is compiled for both architectures.
Score: 8 Votes (Like | Disagree)