Malware monsters target Apple’s M1 silicon with ‘Silver Sparrow’ US security consultancy Red Canary says it’s found MacOS malware written specifically for the shiny new M1 silicon that Apple created to power its post-Intel Macs. Red Canary has named the malware “Silver Sparrow” and says it had found its way onto almost 30,000 MacOS devices as of February 17th. Red Canary’s post says it has …
Seems like quite a leap of faith and not backed up by the numbers: compromise the build servers and there'd be meeelions of compromised machines. Easy to wait for DNS or certificate SNAFUS and MITM. Better still: trick the user into installing whatever it is with maximum permissions.
"30,000 installs out of how many millions?"
I don't know but from the Red Canary article; "According to data provided by Malwarebytes, Silver Sparrow had infected 29,139 macOS endpoints" so the answer is however millions are running Malwarebytes AV on Macs which is presumably just a subset of the overall millions of Macs.
I find the depth of the Apple hate to be most interesting, At time of posting, 13 downvotes to the post I'm replying to... and not one person addresses the central point: there were under 30,000 infections, out of an unknown number of million possible targets. Recall that there were variants vor Intel-powered Macs as well as the M1 variant. This malware attack is barely a ripple in a teacup, but some posters are gloating tover the Apple fail. Frtankly, this kind of thing is why I have long ceased to take anything posted on El Reg about Apple, especially but not limited to anything posted by commentards, seriously.
Unleash the downvotes. It will merely confirm what I say. Especially if commentards continue to not address the central point.
I am not going to downvote you but it is very important to simply not parrot "only 30,000 infections!".
The greater question is where are the 30,000 infections?
If the attack is specifically targeted to a certain type of victim...oh, say, a nuclear generation site...you can claim "only 2,000 infections!" and the damage still can be quite significant.
Now, the Apple M1 silicon certainly isn't being used in nuclear control systems. But what about industrial espionage? Could the 30,000 infections be looking to permeate more secure systems? Get inside work-from-home systems to infiltrate much bigger corporate fish, such as bank systems?
So never dismiss the opening salvos as only "30,000 hits". The major bombardment could be intended to be a major whopper, for all we know.
I think the additional level of scrutiny applied to Apple in cases like this is just a direct consequence of its own claims, now and historically. When you actively boast about being good at something, it's valid that people pay more attention to your failures in that category.
That said, Doctor Syntax seems to hit the nail on the head. It's not 30,000 of all Macs, it's 30,000 of those Macs which run Malwarebytes AV. Which isn't likely a huge percentage of the total.
When it comes to security breaches the numbers don't really matter. What's more important is how the breach works and what the consequences are. While Apple generally does a goob job of securing the OS even for the dumbest user, some of the changes of the last few years that are supposed to provide more security, have actually eroded it. Or at least provided new vectors because permission escalation is a necessary evil for most software.
Kneejerk comments aside, this sounds like a trojan horse attack? If so then I'd rather that be a risk than have Apple go full-iOS on us and prevent users from downloading and running software.
As a real-life Mac user I've already looked up how I can check whether I have this malware, and checked. Nobody, anywhere in the whole of the world, seriously believes that Macs are invulnerable.
"Nobody, anywhere in the whole of the world, seriously believes that Macs are invulnerable."
Sorry, but that is complete tosh. Every single non-technical Mac owner I know has at some point told me that one reason for their decision to buy a Mac was that they don't have any viruses or malware.
GJC
>this sounds like a trojan horse attack?
Well yes in the way it gets a user to click on something, which permits the download and install to happen. However, once installed...
From my reading of the report and some of the details missing from the disclosure, I suspect this was potentially developed and deployed either by a state player or someone who supplies state players; wasn't there a company in Israel that specialised in such tools...
Apple's big vulnerability is that practically everything begs for Admin access without bothering to give an explanation. Even if you're very careful about granting Admin access, an app's behavior looks the same whether it is updating itself or installing a bunch of malware because the developer's system was compromised.
No chip or OS is invulnerable. And hackers follow the news.
Intel x86 and Windows were the usual targets because of their popularity. With the rise in Mac popularity, especially with OSx and the M1, they have become popular enough to be a target as well.
Don't assume that the security that's built a chip or OS is sufficient.
I’m always impressed by the ingenuity of the software developers who write effective worms and viruses. I’m still impressed, albeit perhaps a little less so, by the Trojan writers - at least, if they can bait their malware such that people actually install it but…
Imagine a world where they turned their talents to good? Where we don’t need to waste cpu on antivirus software and firewalls? Imagine what we could do with that power if it was available to do useful work?
We’d just use it for cat memes wouldn’t we? Well that’s a perfectly good daydream down the drain.
Imagine a world where they turned their talents to good?
Most of them do in due time, unless they can make more money when they don't.
Where we don’t need to waste cpu on antivirus software and firewalls?
In that case we would still "waste" it on defense against governments and government agencies (and in most cases that includes your own government).
Imagine what we could do with that power if it was available to do useful work?
Imagine ;)
I can’t upvote this enough. And even if the myth about the Mac being immune from malware was true (and I doubt that anyone really believes that it is), then responsible Mac users should still have anti-Malware software installed - just because you aren’t affected by it doesn’t mean that you can’t pass it on (by forwarding an email for example).
Besides, good Anti-Malware software is so easily available that there really isn’t any excuse. I use Clam on my Macs and my Linux machines, and I use Microsoft’s Windows Defender on my Windows 10 PC.
This post has been deleted by its author
But what exactly are "all necessary precautions" that could help in this case - other than block all downloads?
From other, more detailed reports, the only reason Malwarebytes saw this was because they were prompted to look for specific files by Red Canary... Additionally, from the silence, we can assume that all other Mac AV manufacturers also missed this one.
The M1 really was an obvious target for miscreants. New platforms and software that have plenty of bugs to iron out out are usually ripe for the picking.
Essentially the main reason I haven't picked one of these systems up yet is to let the early adopters get this pain out of the way. While Mac isn't my first choice (for me), it is extremely useful for the other half and not having to answer yells of "The computers bust again" and "it's obviously your fault".
Do not underestimate the value of happy wife, happy life! 30,000 malware infections looks like a big number but remind me just how many infections there are proportionally, on Windoze hardware for comparison. Hell, I've seen single PC's subjected to the spawn of satan (teenagers that think they know what they are doing with computers) with hundreds of suspect files on...
Yeah, I bought my girlfriend and Mum each a MacBook Pro back in 2010, along with one for myself and after the initial, “How do I do?’, questions... the support requests completely stopped.
Have since upgraded to new Macs for them and that story continues. Reliable, easy to use and since they’re not local admins and I have AV software on them, easy days for me.
It’s a JavaScript API available to installers — once a user has downloaded and launched your installer, clicking through the appropriate permissions warnings, that API is available to you.
Including for misuse, apparently. This trojan appears to conceal files permanently in /tmp.
"They mentioned Amazon and Akamai in TFA, so there you go. Block those, and your employees won't be able to shop or or surf the web.
Hang on, why was that bad again?"
Umm, because they will no longer be able to benefit form the wit and wisdom of The Register and its commentards?
Exactly. I’ve been taking care of enterprise netsec for about 17 years and so was able to witness more and more threats being clouded from cloud and CDN networks (and via SSL).
They certainly made my life more interesting! With SSL inspection and accelerated IPS.
Imagine my surprise when I first saw a user PC get malware infected from an advertisement hosted by Akamai, on a news article from a major newspaper.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
