Apple Takes Action to Limit Impact of Silver Sparrow Malware

We previously covered the mysterious new strain of malware that researchers called Silver Sparrow. The malware was detected in the second half of February 2020 by researchers working with Red Canary.

According to published figures, Silver Sparrow has managed to infect around 30,000 Mac computers. The affected systems are spread among 150 countries but the largest clusters of infected computers are located in English-speaking countries, as well as France and Germany.

Apple came up with a swift reaction to the newly discovered malware. The company revoked the digital certificates of the developer accounts that were used in signing the digital packages of Silver Sparrow. This should effectively stop Silver Sparrow from spreading to any more Macs.

A spokesperson for Apple pointed out that so far the malware has not registered any malicious payload delivery. This has been part of the mystery surrounding Silver Sparrow.

What is the Silver Sparrow Malware doing to Mac computers?

The security researchers who spotted the malware noticed that while it was able to actively communicate with its command and control servers, it never went to download any real malicious payload once the initial malware was deployed. Many Mac computers faced with varitions of Silver Sparrow have had an alert message appear reading '[APP NAME] will damage your computer. You should move it to the Trash.' The message appears to be one that clearly indicates a Mac computer being affected by a form of Silver Sparrow or other potentially unwanted program.

Example of "[APP NAME] will damage your computer. You should move it to the Trash" Mac computer pop-up message

Silver Sparrow likely spreads through Mac applications downloaded from sources that are not the official Apple App Store, as well as through files posing as updates to the now-defunct Flash platform that Adobe discontinued in the end of 2020.

It is still unclear whether Silver Sparrow has advanced sandbox detection capabilities that prevented it from downloading its real payload on the researcher systems. The confidence with which Apple's spokesperson cited no "malicious payload to affected users" gives some confidence that Silver Sparrow might simply be a testing platform for a future malware release.

The malware also has the capability to infect Apple's own M1 chipset hardware and new Macs, which might be an indication that Silver Sparrow is a first step towards a potential future threat targeting the new hardware. Whether that is the case or not remains to be seen.

M1 is the first in-house chip architecture, designed and manufactured by Apple, using 5nm technology.