Nearly 40,000 Macs infected by mysterious malware, researchers say

The malware, dubbed Silver Sparrow, has not yet engaged in malicious activity.

February 23, 2021, 4:32 PM

Mysterious malware -- that has not yet engaged in malicious activity -- has infected nearly 40,000 Mac devices, according to the cybersecurity firm Red Canary, which first detected the threat.

The malware, dubbed by Red Canary as "Silver Sparrow," is baffling researchers because of its elusive motives.

"Most malware has an ultimate goal," Brian Donohue, an intelligence analyst at Red Canary, told ABC News via email. "It might be to steal sensitive information, cause damage to devices or servers, or block access to data. In this case, we don’t actually know what that ultimate goal is, because we haven’t observed Silver Sparrow engaging in malicious activity."

Donohue noted, however, that most malware operations consist of multiple supporting functions that occur prior to the execution of malicious activity, such as gaining initial access or moving between devices on a network.

"In the case of Silver Sparrow, while we haven’t observed the final payload, we have seen other parts of the malware operation," he added. "For example, we’ve observed it using built-in functions of macOS to install itself on victim machines and to maintain persistence across reboots."

PHOTO: A person uses a laptop in this stock photo.
STOCK PHOTO/Getty Images

Donohue said a member of Red Canary's cyber incident response team first detected the malware -- which includes a code that runs on Apple's new M1 chip -- based on suspicious behavior from a customer's device. They have not identified its origins.

"As of today, we can confirm that the threat has infected nearly 40,000 macOS devices," he told ABC News, citing published data from antivirus firm Malwarebytes, though he said he believes this is likely an "underestimation of the total scope of the threat."

He added that the malware has been dubbed mysterious for two reasons, including that it lacks an ultimate payload and researchers cannot determine the purpose of the threat.

"The second relates to a file that, if present on an infected machine, causes Silver Sparrow to uninstall itself," Donohue said. "We do not know why this file is present on certain systems or why its presence causes Silver Sparrow to uninstall itself."

Although Silver Sparrow currently does not deliver a malicious payload, Donohue said they are "concerned that it could be updated to deliver one at a moment’s notice."

"This is compounded by the fact that it has a presence on nearly 40,000 machines and all the infrastructure necessary to support a more concerning threat," he said.

Apple told ABC News that it revoked the certificates of the developer accounts used to sign the packages, preventing new machines from being infected, after discovering the malware.

Apple noted its security protection and mechanisms and said its App Store provides the safest place to obtain software for Macs. In addition, Apple said it uses industry-leading technical mechanisms to protect users by detecting and blocking malware for software downloaded outside of the Mac App Store.

The company also noted, as made clear by the researchers, that there is no evidence to suggest the new malware has delivered a malicious payload.