Silver Sparrow Malware Infects Over 30,000 Macs

Inside Apple Store

There is a well-known adage that says “an apple a day keeps the doctor away”. In much the same way, the famous tech brand named after the fruit has been synonymous with safety in the tech world. The brand in question is, of course, Apple. Apple’s operating systems and technology ecosystems have always been highly regarded when it comes to simplicity, safety, and stability. Apple is not known for security breaches in their software, because historically it was always platforms like Windows and Android that bore the brunt of malware attacks.

Apple’s reputation has recently been shaken, though. Waves of malware known as ‘adware‘ have been advancing rapidly, and now even the tech giant’s bulletproof reputation is at risk as news of recent concerns arises.

Detection engineers working at security platform Red Canary have detected a potentially severe variant of malware designed to be compatible with Apple’s new M1 chip. The specific malware in question, named ‘Silver Sparrow’ is a new malware family targeting these chips. Silver Sparrow is now the latest variant following the release of the ‘Pirrit’ adware only a few days earlier.

The M1 Chip

It has been a good while since Apple has been using their own proprietary processors. Instead, Apple has for a long time now opted for using Intel chips. It wasn’t until a few months ago that they would roll out the first chip “specifically designed for Mac”. The new chips would promise longer battery life, more power, and better safety. The change has been expected for a long time when it comes to the Apple computer line.

What is Silver Sparrow?

As researchers are rushing to prevent a new wave of malware targeting Apple’s latest hardware, they have managed to uncover a second malware wave affecting devices with the M1 chip. The malware in question, Silver Sparrow, belongs to a new adware family that targets both older and newer machines.

Silver Sparrow has two versions, a version that targets the previous Intel-based generation of Macs, as well a version that targets the new M1s. Researchers have revealed the following details about Silver Sparrow;

  • Silver Sparrow uses JavaScript to execute itself, uncommon for past Apple malware
  • The spread of the malware and payload is still unclear to researchers
  • It has a high infection rate and potentially global reach
  • The payload would be delivered in ‘packages’ including PKG or DMG installers
  • The installers are illegitimate, disguised as official app updates
  • It is hiding on Amazon’s Web Service S3 cloud platform, blending in with other traffic
  • It is only the second type of malware ever detected to behave in this way, revealing that it is highly sophisticated
  • Silver Sparrow communicates with an outside ‘operator’, with the ability to launch an attack at any moment
  • After testing, researchers encountered message windows with the words ‘Hello World’ and ‘You did it!’

What Happened?

According to Red Canary, Silver Sparrow has spread rapidly, and it is reported that over 30,000 M1 Mac machines have been infected so far (although this is a rough estimation at the moment).

In a recent report by research team Red Canary, they stated that: “According to data provided by Malwarebytes, Silver Sparrow had infected 29,139 macOS endpoints across 153 countries as of February 17”.

Additional information reveals that Silver Sparrow has hit high infection concentrations in Germany, France, Canada, the UK, and the US.

The Mystery

Researchers stated that “The ultimate goal of this malware is a mystery” since it has not yet shown any activity of delivering ‘payloads’. Payloads are the final stage of infection where the adware launches a program that then either steals data or has some other malicious function.

Researchers are baffled by the mysterious, seemingly incomplete malware. Possibly, the way Sparrow works according to Red Canary, is that “malicious search engine results direct victims to download the PKGs based on network connections from a victim’s browser shortly before download”.

Further details in the report reveal that the researchers have no way of finding out the end goal of this malware, or what the creator’s “future timeline” is.

Apple’s Response

Apple’s response to these potential threats was to revoke the developer certificates, to stop the spread of the malware. For both the earlier malware variant as well as the current Silver Sparrow, Apple has reportedly revoked all developer certificates.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at, while in his free time he likes to work on documentary projects, read about sociology and write about world events.
Leave a comment
  1. “Apple’s response to these potential threats was to revoke the developer certificates, to stop the spread of the malware.”

    My understanding is that this may prevent them from infecting more machines, but what is Apple doing about the machines already infected?

    • Hi Marty. I haven’t come across an official explanation from Apple regarding this issue or whether they have fixed the vulnerabilities in a security patch. Macobserver has stated that users can manually check to see if these files exist that indicate an infection;

      ~/Library/._insu (empty file used to signal the malware to delete itself)
      /tmp/ (shell script executed for installation callback)
      /tmp/version.json (file downloaded from from S3 to determine execution flow)
      /tmp/version.plist (version.json converted into a property list)\

      You can also check out this Apple discussions page: Of course, contacting Apple support on the subject is also a good idea. I hope this helps!

Leave a comment