back to article Malware monsters target Apple’s M1 silicon with ‘Silver Sparrow’

US security consultancy Red Canary says it’s found MacOS malware written specifically for the shiny new M1 silicon that Apple created to power its post-Intel Macs. Red Canary has named the malware “Silver Sparrow” and says it had found its way onto almost 30,000 MacOS devices as of February 17th. Red Canary’s post says it has …

  1. Anonymous Coward
    Anonymous Coward

    This cannot be true!!!

    Apple devices have "Security. Built right in." They told us we were safe!!!

    This cannot be. <The sky just fell in!>

    1. WolfFan Silver badge

      Re: This cannot be true!!!

      30,000 installs out of how many millions? Yeah, the sky sure is falling.

      1. chivo243 Silver badge
        WTF?

        Re: This cannot be true!!!

        Since some are on new Apple Silicon, are we seeing another SolarWinds compromise? Build servers have been infiltrated?

        1. Charlie Clark Silver badge

          Re: This cannot be true!!!

          Seems like quite a leap of faith and not backed up by the numbers: compromise the build servers and there'd be meeelions of compromised machines. Easy to wait for DNS or certificate SNAFUS and MITM. Better still: trick the user into installing whatever it is with maximum permissions.

      2. Doctor Syntax Silver badge

        Re: This cannot be true!!!

        "30,000 installs out of how many millions?"

        I don't know but from the Red Canary article; "According to data provided by Malwarebytes, Silver Sparrow had infected 29,139 macOS endpoints" so the answer is however millions are running Malwarebytes AV on Macs which is presumably just a subset of the overall millions of Macs.

      3. James O'Shea

        Re: This cannot be true!!!

        I find the depth of the Apple hate to be most interesting, At time of posting, 13 downvotes to the post I'm replying to... and not one person addresses the central point: there were under 30,000 infections, out of an unknown number of million possible targets. Recall that there were variants vor Intel-powered Macs as well as the M1 variant. This malware attack is barely a ripple in a teacup, but some posters are gloating tover the Apple fail. Frtankly, this kind of thing is why I have long ceased to take anything posted on El Reg about Apple, especially but not limited to anything posted by commentards, seriously.

        Unleash the downvotes. It will merely confirm what I say. Especially if commentards continue to not address the central point.

        1. Snake Silver badge

          Re: 30,000 infections

          I am not going to downvote you but it is very important to simply not parrot "only 30,000 infections!".

          The greater question is where are the 30,000 infections?

          If the attack is specifically targeted to a certain type of victim...oh, say, a nuclear generation site...you can claim "only 2,000 infections!" and the damage still can be quite significant.

          Now, the Apple M1 silicon certainly isn't being used in nuclear control systems. But what about industrial espionage? Could the 30,000 infections be looking to permeate more secure systems? Get inside work-from-home systems to infiltrate much bigger corporate fish, such as bank systems?

          So never dismiss the opening salvos as only "30,000 hits". The major bombardment could be intended to be a major whopper, for all we know.

          1. Anonymous Coward
            Anonymous Coward

            Re: 30,000 infections

            yep, the solarwinds breach started with one hack, into them.

        2. WolfFan Silver badge

          Re: This cannot be true!!!

          It’s 17 downvotes now. And no-one has so far seen fit to say why, or to address the point. I’m not holding my breath waiting.

          1. ThomH Silver badge

            Re: This cannot be true!!!

            I think the additional level of scrutiny applied to Apple in cases like this is just a direct consequence of its own claims, now and historically. When you actively boast about being good at something, it's valid that people pay more attention to your failures in that category.

            That said, Doctor Syntax seems to hit the nail on the head. It's not 30,000 of all Macs, it's 30,000 of those Macs which run Malwarebytes AV. Which isn't likely a huge percentage of the total.

      4. Charlie Clark Silver badge

        Re: This cannot be true!!!

        When it comes to security breaches the numbers don't really matter. What's more important is how the breach works and what the consequences are. While Apple generally does a goob job of securing the OS even for the dumbest user, some of the changes of the last few years that are supposed to provide more security, have actually eroded it. Or at least provided new vectors because permission escalation is a necessary evil for most software.

        1. Claptrap314 Silver badge

          FTFY

          "permission escalation is a necesary evil for most poorly designed software".

          Umm...wait. No, sorry. Nothing to fix.

          <sigh>

          1. Charlie Clark Silver badge

            Re: FTFY

            On a modern multimedia OS, any access to the hardware is essentially permission escalation, which makes the design even more important to reduce the inevitable vulnerabliities this entails.

            1. Claptrap314 Silver badge

              Re: FTFY

              And what happened to rings 1 & 2?

              Poor design goes a long, long way.

    2. ThomH Silver badge

      Re: This cannot be true!!!

      Kneejerk comments aside, this sounds like a trojan horse attack? If so then I'd rather that be a risk than have Apple go full-iOS on us and prevent users from downloading and running software.

      As a real-life Mac user I've already looked up how I can check whether I have this malware, and checked. Nobody, anywhere in the whole of the world, seriously believes that Macs are invulnerable.

      1. Geoff Campbell
        Stop

        Re: This cannot be true!!!

        "Nobody, anywhere in the whole of the world, seriously believes that Macs are invulnerable."

        Sorry, but that is complete tosh. Every single non-technical Mac owner I know has at some point told me that one reason for their decision to buy a Mac was that they don't have any viruses or malware.

        GJC

        1. Anonymous Coward
          Anonymous Coward

          Re: This cannot be true!!!

          Apple (used to) advertise that not getting viruses was a reason to use a mac and not a PC

          https://www.youtube.com/watch?v=hj9nykgwPf8

      2. Roland6 Silver badge

        Re: This cannot be true!!!

        >this sounds like a trojan horse attack?

        Well yes in the way it gets a user to click on something, which permits the download and install to happen. However, once installed...

        From my reading of the report and some of the details missing from the disclosure, I suspect this was potentially developed and deployed either by a state player or someone who supplies state players; wasn't there a company in Israel that specialised in such tools...

    3. Kevin McMurtrie Silver badge

      Re: This cannot be true!!!

      Apple's big vulnerability is that practically everything begs for Admin access without bothering to give an explanation. Even if you're very careful about granting Admin access, an app's behavior looks the same whether it is updating itself or installing a bunch of malware because the developer's system was compromised.

    4. Anonymous Coward
      Anonymous Coward

      Re: This cannot be true!!!

      I have had various friends working a Apple Cupertino since the early 1980's. They tell me anti-virus products have been mandatory on all on-campus machines at Apple the entire time. The "Macs can't get viruses" thing was just Trump's Job's alternate facts BS.

  2. HildyJ Silver badge
    Boffin

    The curse of popularity

    No chip or OS is invulnerable. And hackers follow the news.

    Intel x86 and Windows were the usual targets because of their popularity. With the rise in Mac popularity, especially with OSx and the M1, they have become popular enough to be a target as well.

    Don't assume that the security that's built a chip or OS is sufficient.

    1. Claptrap314 Silver badge

      Re: The curse of popularity

      Windows was not targeted merely for its popularity. Security was not a concern for u$ by any meaningful standard at least through Window 98.

      "You look like you are writing a wormable virus. Would you like help with that?"

  3. amanfromMars 1 Silver badge

    Competitors Sowing the Seeds of FUD for Overcrowded Hostile Market Spaces

    Who are Red Canary? Never heard of them before?

    Yeah, that was/is the problem they and any of their customers and their services have.

    :-) Is that too cynical?

    1. Doctor Syntax Silver badge

      Re: Competitors Sowing the Seeds of FUD for Overcrowded Hostile Market Spaces

      "Who are Red Canary?"

      Rephrase thar:

      whois redcanary.com

      Creation Date: 1998-11-19T00:00:00Z

  4. 45RPM Silver badge

    I’m always impressed by the ingenuity of the software developers who write effective worms and viruses. I’m still impressed, albeit perhaps a little less so, by the Trojan writers - at least, if they can bait their malware such that people actually install it but…

    Imagine a world where they turned their talents to good? Where we don’t need to waste cpu on antivirus software and firewalls? Imagine what we could do with that power if it was available to do useful work?

    We’d just use it for cat memes wouldn’t we? Well that’s a perfectly good daydream down the drain.

    1. A.P. Veening Silver badge

      Imagine a world where they turned their talents to good?

      Most of them do in due time, unless they can make more money when they don't.

      Where we don’t need to waste cpu on antivirus software and firewalls?

      In that case we would still "waste" it on defense against governments and government agencies (and in most cases that includes your own government).

      Imagine what we could do with that power if it was available to do useful work?

      Imagine ;)

      1. 45RPM Silver badge

        Kind of disappointed that that wasn’t a rickroll.

  5. trevorde Silver badge

    Finally!

    Some decent software has been released for macOS!

    1. Anonymous South African Coward Silver badge
      Trollface

      Re: Finally!

      Did Sir forgot the trollface icon?

  6. I Am Spartacus
    Paris Hilton

    Safe Computers

    Just because you have a Mac it does not mean you don't take all necessary precautions. Safe Computing is like Safe Sex, you can never be too careful .

    Paris Icon - obviously

    1. 45RPM Silver badge

      Re: Safe Computers

      I can’t upvote this enough. And even if the myth about the Mac being immune from malware was true (and I doubt that anyone really believes that it is), then responsible Mac users should still have anti-Malware software installed - just because you aren’t affected by it doesn’t mean that you can’t pass it on (by forwarding an email for example).

      Besides, good Anti-Malware software is so easily available that there really isn’t any excuse. I use Clam on my Macs and my Linux machines, and I use Microsoft’s Windows Defender on my Windows 10 PC.

    2. Roland6 Silver badge

      Re: Safe Computers

      But what exactly are "all necessary precautions" that could help in this case - other than block all downloads?

      From other, more detailed reports, the only reason Malwarebytes saw this was because they were prompted to look for specific files by Red Canary... Additionally, from the silence, we can assume that all other Mac AV manufacturers also missed this one.

  7. Binraider

    Obvious Target

    The M1 really was an obvious target for miscreants. New platforms and software that have plenty of bugs to iron out out are usually ripe for the picking.

    Essentially the main reason I haven't picked one of these systems up yet is to let the early adopters get this pain out of the way. While Mac isn't my first choice (for me), it is extremely useful for the other half and not having to answer yells of "The computers bust again" and "it's obviously your fault".

    Do not underestimate the value of happy wife, happy life! 30,000 malware infections looks like a big number but remind me just how many infections there are proportionally, on Windoze hardware for comparison. Hell, I've seen single PC's subjected to the spawn of satan (teenagers that think they know what they are doing with computers) with hundreds of suspect files on...

    1. SJP

      Re: Obvious Target

      Yeah, I bought my girlfriend and Mum each a MacBook Pro back in 2010, along with one for myself and after the initial, “How do I do?’, questions... the support requests completely stopped.

      Have since upgraded to new Macs for them and that story continues. Reliable, easy to use and since they’re not local admins and I have AV software on them, easy days for me.

  8. Steve Graham
    WTF?

    "Installer JavaScript API"

    "Installer JavaScript API". Does that mean what I think it means?

    1. ThomH Silver badge

      Re: "Installer JavaScript API"

      It’s a JavaScript API available to installers — once a user has downloaded and launched your installer, clicking through the appropriate permissions warnings, that API is available to you.

      Including for misuse, apparently. This trojan appears to conceal files permanently in /tmp.

  9. TheMeerkat Bronze badge

    “How the malware is distributed remains a mystery” = “we wrote it ourselves”?

  10. Eclectic Man Silver badge

    Phoning home

    This may be naive of me, but if the malware phones 'home' every hour, why is that web site not blocked?

    1. Anonymous Coward
      Anonymous Coward

      Re: Phoning home

      They mentioned Amazon and Akamai in TFA, so there you go. Block those, and your employees won't be able to shop or or surf the web.

      Hang on, why was that bad again?

      1. Eclectic Man Silver badge

        Re: Phoning home

        "They mentioned Amazon and Akamai in TFA, so there you go. Block those, and your employees won't be able to shop or or surf the web.

        Hang on, why was that bad again?"

        Umm, because they will no longer be able to benefit form the wit and wisdom of The Register and its commentards?

      2. SJP

        Re: Phoning home

        Exactly. I’ve been taking care of enterprise netsec for about 17 years and so was able to witness more and more threats being clouded from cloud and CDN networks (and via SSL).

        They certainly made my life more interesting! With SSL inspection and accelerated IPS.

        Imagine my surprise when I first saw a user PC get malware infected from an advertisement hosted by Akamai, on a news article from a major newspaper.

  11. cd

    So the way to defend against this is to add an empty file to a directory?

    1. ThomH Silver badge

      That's my understanding; `touch ~/Library/._insu` should do it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021