Skip to main content
X

Send us a Topic or Tip

Have a suggestion for the blog? Perhaps a topic you'd like us to write about? If so, we'd love to hear from you! Fancy yourself a writer and have a tech tip, handy computer trick, or "how to" to share? Let us know what you'd like to contribute!

Thanks for reaching out!

Mac “Silver Sparrow” Malware Threat: How to Find and Remove It

13-inch M1 MacBook Pro with Security Icon – Silver Sparrow

Macs don’t have as much of an issue as PCs when it comes to malware. The new “Silver Sparrow” malware affects both Intel-based and M1 “Apple Silicon” Macs. In this article, we show you how to find the malware and remove it.


What Does Silver Sparrow Do?

The true purpose of this malware is unknown. Security company Red Canary published a detailed article describing how the malware was first detected. It takes advantage of JavaScript and macOS plists to perform its tasks.

It appears that Silver Sparrow’s precursors first appeared on August 18, 2020. The first detection by Red Canary was on January 26, 2021. There are now two varieties of this malware in the wild – one that affects only Intel Macs, and the other that can infect M1 Macs as well.

What could it potentially do? The malware checks a download URL on a regular basis, so it can deliver ransomware or annoying adware if it found that “payload” at the download site.


How Widespread Is Silver Sparrow?

Silver Sparrow Malware

Red Canary says that “According to data provided by Malwarebytes, Silver Sparrow had infected 29,139 macOS endpoints across 153 countries as of February 17, including high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany.”


Is It a Serious Threat?

From the Red Canary article:

Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice. Given these causes for concern, in the spirit of transparency, we wanted to share everything we know with the broader infosec industry sooner rather than later.

Tony Lambert

Will Silver Sparrow Infect Your Mac?

Although Silver Sparrow is considered a serious threat, it’s not expected to spread much further. Apple suspended the developer certificates used to sign the package files that start the infection. If you’re using the Mac’s default security settings, you’ll be unable to install the malware. That’s a relief!


Does Antivirus Software Help?

Any standard virus checker on your Mac — like the free version of Malwarebytes or ClamXAV — finds and destroys Silver Sparrow during a standard scan. Just be sure that the definition files for the virus checker are up to date.


A Manual Method to Check For Infection and Delete Silver Sparrow

A Lifehacker post about Silver Sparrow describes four files that suggest your Mac might be infected with the malware:

  • ~/Library/._insu
    (empty file used to signal the malware to delete itself)
  • /tmp/agent.sh
    (shell script executed for installation callback)
  • /tmp/version.json
    (file downloaded from from S3 to determine execution flow)
  • /tmp/version.plist
    (version.json converted into a property list)

Ars Technica commenter “effgee” provided a detailed set of instructions on how to look for these files and clean up an infected Mac. We won’t repeat these here due to their length, but if you want to perform a manual check and cleansing and you’re comfortable with the Terminal app, here’s a link.


To summarize, Silver Sparrow has been grounded by Apple and antivirus app publishers, but it did spread quickly. While the malware didn’t deliver a hazardous payload to any of the infected Macs, it has the potential to do so if not cleaned off of those Macs.



Steve Sande
the authorSteve Sande
Contributing Author
Steve has been writing about Apple products since 1986, starting on a bulletin board system, creating the first of his many Apple-related websites in 1994, joining the staff of The Unofficial Apple Weblog in 2008, and founding Apple World Today in 2015. He’s semi-retired, loves to camp and take photos, and is an FAA-licensed drone pilot.
Be Sociable, Share This Post!

Leave a Reply

3 Comments

  • I’ve yet to see how this malware is spread. One comment suggested you had to download and install it. Don’t know if you had to also disable security too. Any idea?

  • “After 14 days are up, your Malwarebytes will revert to a limited but still free version that will only disinfect but not protect your computer from an attack.”

    “Apple suspended the developer certificates used to sign the package files that start the infection. If you’re using the Mac’s default security settings, you’ll be unable to install the malware. That’s a relief!”

  • Your comment about the available anti-virus software is free, is a little misleading. Yes they have free versions for testing for a limited time, but both are subscription based and after the free trial periods.