Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,194
30,136


Over the weekend, we reported on the second known piece of malware compiled to run natively on M1 Macs. Given the name "Silver Sparrow," the malicious package is said to leverage the macOS Installer JavaScript API to execute suspicious commands. After observing the malware for over a week, however, security firm Red Canary did not observe any final payload, so the exact threat to users remains a mystery.

mac-security-privacy.jpg

Nonetheless, Apple has since informed MacRumors that it has revoked the certificates of the developer accounts used to sign the packages, preventing additional Macs from being infected. Apple also reiterated that Red Canary found no evidence to suggest the malware has delivered a malicious payload to Macs that have already been infected.

For software downloaded outside of the Mac App Store, Apple said it has "industry-leading" mechanisms in place to protect users by detecting malware and blocking it so it cannot run. Since February 2020, for example, Apple has required all Mac software distributed with a Developer ID outside of the Mac App Store to be submitted to Apple's notary service, an automated system that scans for malicious content and code-signing issues.

Malware targeting M1 Macs has simply been compiled to run natively on the Arm-based architecture of the M1 chip, now that Intel-based Macs are slowly being phased out. For more details about the "Silver Sparrow" malware, read our earlier coverage.

Article Link: Apple Takes Step to Prevent Further Spread of 'Silver Sparrow' Malware on Macs
 
Last edited:
  • Like
Reactions: KeithBN

Robert.Walter

macrumors 68040
Jul 10, 2012
3,058
4,282
Developer certificates…

“Since February 2020, for example, Apple has required all Mac software distributed with a Developer ID outside of the Mac App Store to be submitted to Apple's notary service, an automated system that scans for malicious content and code-signing issues.”

It seems Apples 3rd party s/w vetting and release system and its processes are ripe for rethinking.
 
Last edited:

Maconplasma

Cancelled
Sep 15, 2020
2,489
2,215
So does Apple then turn over the names, addresses, credit card info, etc. of the persons associated with those certificates to the police? You never hear about the next step.
The police doesn't deal with these types of matters. It requires a higher authority.
 
  • Like
Reactions: NMBob

Steve N.

macrumors newbie
Mar 29, 2016
6
91
Albany NY


Over the weekend, we reported on the second known piece of malware compiled to run natively on M1 Macs. Given the name "Silver Sparrow," the malicious package is said to leverage the macOS Installer JavaScript API to execute suspicious commands. After observing the malware for over a week, however, security firm Red Canary did not observe any final payload, so the exact threat to users remains a mystery.

mac-security-privacy.jpg

Nonetheless, Apple has since informed MacRumors that it has revoked the certificates of the developer accounts used to sign the packages, preventing additional Macs from being infected. Apple also reiterated that Red Canary found no evidence to suggest the malware has delivered a malicious payload to Macs that have already been infected.

For software downloaded outside of the Mac App Store, Apple said it has "industry-leading" mechanisms in place to protect users by detecting malware and blocking it so it cannot run. Since February 2020, for example, Apple has required all Mac software distributed with a Developer ID outside of the Mac App Store to be submitted to Apple's notary service, an automated system that scans for malicious content and code-signing issues.

Malware targeting M1 Macs has simply been compiled to run natively on the Arm-based architecture of the M1 chip, now that Intel-based Macs are slowly being phased out. For more details about the "Silver Sparrow" malware, read our earlier coverage.

Article Link: Apple Takes Step to Prevent Further Spread of 'Silver Sparrow' Malware on Macs
This was a proof of concept. Expect more malware that won't be benign.
 

velocityg4

macrumors 604
Dec 19, 2004
7,328
4,716
Georgia
This is going to end up the same way as all DRM - inconveniencing genuine users whilst bad guys find ways around it.

If Apple really had automated detection and scanning, how did it manage to infect so many machines?
It’s because it’s automated. If the malware sits outside the bounds of known malware. Plus doesn’t fall in the bounds of the detection algorithms. It’ll fly right through.

I remember a few years back. The best Windows anti virus was only about 60% effective on new, unknown threats. While 99-100% on known threats. Windows anti virus makers are vastly more experienced.

I don’t blame Apple. They can only do so much to protect against the unknown. Without deeper reviews of software submitted. But that would increase approval time and developer costs. So, more developers may just skip certification on the Mac.
 
  • Like
Reactions: TomMcIn

NMBob

macrumors 68000
Sep 18, 2007
1,893
2,398
New Mexico
I don’t blame Apple. They can only do so much to protect against the unknown. Without deeper reviews of software submitted. But that would increase approval time and developer costs. So, more developers may just skip certification on the Mac.
How bad off would the world be if Javascript couldn't do things like run bash shell scripts? Some advertisers would probably lose money. It's a conspiracy. :)
 

thejadedmonkey

macrumors G3
May 28, 2005
9,148
3,147
Pennsylvania
So the silver sparrow developer steals some other developers credentials and continues on? What stops the existing installed virus from working? The fact that it's not being automatically removed via Apple's malware scanner means nothing changed, not really, except that the developer needs to recompile.

So what other steps are being taken?
 

redpandadev

macrumors 6502
Jun 3, 2014
332
284
They should include something like Windows Defender to allow the user to scan his system files on demand, when in doubt.
If you go to Apple Menu -> About this Mac -> System report (bottom right corner of the Overview tab), then in the list on the left browse through the various items in the Software section. This will list every application, extension, etc on your system, where it came from, and who signed it.
 

MarcKerr

macrumors member
Mar 14, 2012
46
49
Indiana
Stolen certificates make it very easy for malware/viruses to infiltrate any OS but a valid cert is not necessary to run this code. Users can easily bypass it in System Preferences > Security & Privacy > General, then just click allow for what ever has been blocked. The certificate doesn't truly protect you, it does help but can't prevent malware.
 
  • Like
Reactions: IG88

Kabeyun

macrumors 68040
Mar 27, 2004
3,407
6,346
Eastern USA
This is going to end up the same way as all DRM - inconveniencing genuine users whilst bad guys find ways around it.

If Apple really had automated detection and scanning, how did it manage to infect so many machines?
There are answers. Google is your friend. And automated scanning doesn’t preclude infection. You can only scan for what you know, plus some nefarious code patterns. Just ask virus experts.

Bad guys will make bad code and good guys will try to reduce its impact. What inconveniences are you referring to?
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.