Malware for the M1 Macs are like London buses. You wait ages for one, then two come along at the same time.

Well, "the same time" might be pushing it a little, since malware outbreaks - if discovered by responsible bodies - tend to be reported to the public some time after they are discovered and, hopefully, patched. The first recorded malware for M1 Macs - the Safari extension GoSearch22 which is adware, was reported to VirusTotal as early as December 2020, but only became public knowledge in February 2021. This time we're hearing about the second.

(The news comes at a time when Apple is publicly arguing for M1 Macs being safer than Intel ones - a claim that these two pieces of malware, of course, do not by themselves disprove.)

Security firm Red Canary (reported by MacRumors) discovered the new malware, which targets Macs equipped with the new M1 processors. The malware is named Silver Sparrow, and uses the macOS Installer Javascript API to execute commands. Here's what you need to know.

What is Silver Sparrow?

Nobody knows for sure. Once on a Mac Silver Sparrow connects to a server once an hour. Security researchers are concerned that it could be gearing up for a major attack.

Security company Red Canary believes that, while Silver Sparrow has now yet delivered a malicious payload, it could pose a fairly serious threat.

The malware has become notable because it runs on Apple's M1 chip. That doesn't necessarily indicate that the criminals are specifically targeting M1 Macs, rather it suggests that both M1 Macs and Intel Macs can be infected.

How many Macs are infected?

According to Malwarebytes (as of February 2021) Silver Sparrow has infected 29,139 macOS systems in 153 countries, but most of them are in the US, UK, Canada, France and Germany.

It is unclear how many of these are M1 Macs. According to information, both Intel and M1 Macs are affected, but we do not know exactly what the distribution looks like. 

What does Silver Sparrow do?

What is known is that the infected computers contact a server once an hour, so it may be some form of preparation for a major attack.

The malware uses the Mac OS Installer Javascript API to execute commands.

The security company has been so far unable to determine how the commands lead to anything further, and it's thus still unknown to what extent Silver Sparrow poses a threat. The security company nevertheless believes that the malware is serious.

What is Apple doing?

Apple quickly took steps to override the developer certificates that enabled the Silver Sparrow malware to be installed. Further installations should therefore no longer be possible.

Apple's customers are usually protected from malware because all software downloaded outside of the Mac App Store are required to be notarized. In this case it seems that the malware writers were able to obtain a certificate that was used in order to sign the package. 

Without this certificate the malware can no longer infect more computers, but it's rather concerning that the malware had a certificate to start with.

For general advice on keeping your system safe, check out our Mac security tips. We also look at whether Macs can be hacked.