The other day, a second malware was discovered that runs natively on a Mac with an M1 chip, but Apple is reportedly taking steps to prevent further spread.
The malware, named “Silver Sparrow,” was reported to have infected about 30,000 Macs, including the M1 model. Security company Red Canary has analyzed that the virus uses the JavaScript API of the macOS installer to execute suspicious commands, and has observed it for over a week, but the final payload (the code that performs malicious behavior). Could not be confirmed, and the real threat remains a mystery.
In response to this incident, Apple has told MacRumors that it has revoked the certificate of the developer account for signing the package and prevented other Macs from being infected anymore. Apple has also stated that Red Canary has repeatedly found no evidence that the malware delivered a malicious payload to infected Macs.
Apple has a Notarization system for apps distributed outside the App Store (so-called stray apps). This requires developers to submit their apps to Apple and notarize them for malicious content and code. An unnotarized app is blocked by the macOS security mechanism Gatekeeper and cannot be started, and if the developer account certificate is revoked, it can be prevented from starting after the fact.
The notarization system started with macOS Mojave 10.14.5 in May 2019, and the requirements have been tightened since February 2020 after the grace period has been set.
By the way, as a side effect, when the Mac application starts, it goes to the notary server to check, so when the load is concentrated on the server, it takes an abnormally long time to start the application, or it can not be started at all. There is.
Some studies have shown that while malware that runs natively on the M1 Mac can be easily created by simply compiling an existing one, most antivirus software has not been able to detect it. We hope that the notarization system and Gatekeeper will contain any threat to the M1 Mac (and future Apple silicon-powered models).