The malware, dubbed Silver Sparrow, has not yet engaged in malicious activity.
Mysterious malware – which has yet to engage in malicious activity – infected nearly 40,000 Mac devices, according to cyber security firm Red Canary, which first detected the threat.
The malware, dubbed Red Canary “Silver Sparrow”, is confusing researchers because of its elusive motives.
“Most malware has an end goal,” Brian Donohue, an intelligence analyst at Red Canary, told ABC News in an email. “It could be stealing confidential information, causing damage to devices or servers, or blocking access to data. In this case, we don’t really know what the end goal is, because we haven’t seen Silver Sparrow involved in malicious activity.”
Donohue noted, however, that most malware operations consist of several support functions that occur before malicious activities are performed, such as getting initial access or moving between devices on a network.
“In the case of Silver Sparrow, although we have not seen the final load, we have seen other parts of the malware’s operation,” he added. “For example, we observed the use of integrated macOS functions to install on victims’ machines and maintain persistence during reboots.”
Donohue said a member of the Red Canary cyber incident response team first detected the malware – which includes code that runs on Apple’s new M1 chip – based on a customer’s suspicious device behavior. They have not identified their origins.
“As of today, we can confirm that the threat has infected almost 40,000 macOS devices,” he told ABC News, citing published data from the antivirus company Malwarebytes, although he said that this is likely to be an “underestimation of the full scope of the threat.”
He added that the malware was dubbed mysterious for two reasons, including the fact that it did not have a definite payload and the researchers were unable to determine the purpose of the threat.
“The second is related to a file that, if present on an infected machine, causes Silver Sparrow to uninstall,” said Donohue. “We don’t know why this file is present on certain systems or why its presence causes Silver Sparrow to uninstall.”
Although Silver Sparrow does not currently deliver a malicious payload, Donohue said they are “concerned that it can be updated to deliver one at any time”.
“This is compounded by the fact that it is present in about 40,000 machines and all the infrastructure needed to withstand a more worrying threat,” he said.
Apple told ABC News that it has revoked the certificates for the developer accounts used to sign the packages, preventing new machines from becoming infected after the malware was discovered.
Apple noted its protection and security mechanisms and said that its App Store offers the safest place to get software for Macs. In addition, Apple said it uses industry-leading technical mechanisms to protect users by detecting and blocking malware for software downloaded outside the Mac App Store.
The company also noted, as clarified by the researchers, that there is no evidence to suggest that the new malware provided a malicious payload.