Tricking Apple Customers With A Fake Download

Apple’s pretty famous for being difficult to write viruses for. Essentially, for something to get into an Apple device, it has to be so small and so powerless that it’s worthless as a virus. Apple takes pride in this. It’s very rare for a virus to infect so many devices before Apple notices and puts a stop to it!

What Happened?

A virus dubbed “Silver Sparrow” by tech company Red Canary snuck onto devices via “update” download requests. Essentially, it tricked victims into believing that they couldn’t view certain content without updating their flash player. The ad helpfully provided the download so they could update right then and there. This was not a flash update – it was a .pkg file masquerading as one! This is a common trick, but it’s not the only way these ‘updates’ end up on machines. If a box pops up asking you for permission to download something even though you didn’t click anything requesting an update, don’t allow it. Legitimate programs will never do that!

Red Canary also notes that ads and malicious search results may have had a hand in the virus’s extreme reach – unsecured websites can carry viruses in images and ads, so if a hacker figures out a site will host ads for anybody, they can use that as a launch gate.

Besides “how”, Silver Sparrow right now is non-specific malware, an activity cluster. This just means that a set of files contain the code to carry out the attack, but they don’t fall neatly into one category over others. Identification only goes as far as “not adware” right now, but this may change as more is learned about the virus!

Reason to Fear?

It doesn’t actually look like the new virus did anything. Yet. Unfortunately, viruses like these are usually used to set up a wide-scale attack at a later date. The goal is to infect as many computers as possible without firms like Red Canary noticing, and then kill or encrypt the infected all at once. They don’t yet know exactly if this is what Silver Sparrow was going to do, but it certainly seems a little odd that this incredibly quiet virus was installing itself in places just to sit there indefinitely.

Alternatively, this could have been a sort of ‘test run’. Whoever made Silver Sparrow included a self-destruct that should have triggered by itself. It’s possible the creators were looking to gather some numbers before actually launching a more dangerous malware that could deliver a payload. Red Canary currently has an estimate of just under 30,000 Apple devices infected, but the number may grow as new infection indicators are discovered. After all, something with a self-destruct will occasionally manage to get it right!

Once Apple was alerted of the problem, they revoked the certificates Silver Sparrow had been using illegitimately and began developing an action plan to keep viruses like this one out in the future. Revoking those certificates should be enough to keep Silver Sparrow from infecting more devices. Red Canary currently recommends a solid anti-malware tool on top of what Apple’s OS already has to prevent copycat viruses, and boost security.

The virus is still pretty scary, even though it didn’t do much more than sit quietly. It’s compatibility with the M1 chip, evading the Apple MRT, and it’s high infection rate are all reasons to keep an ear to the ground if you’re a Mac owner.

Define “High-Stealth”

The virus had a self-destruct function built in, but it seems like it didn’t actually get to activate it in a lot of cases. The virus was supposed to come into contact with a different part of the library that would contain the code it was looking for to trigger the self-destruct. It’s possible the thing was hiding a little too well, to its own detriment.

Notably, it runs on the M1 chip, something malware’s not supposed to be able to do. That may have contributed to how difficult it was to identify. The chip itself is pretty young, and researchers have determined that the virus may have begun infecting devices as early as three years ago, meaning Silver Sparrow is part of a very exclusive club right now.

No activity that triggered the built in antivirus + self-destruct + small size = high stealth!

What Is MRT?

An MRT, or Malware Removal Tool, is designed to remove threats to the computer in the background without the user noticing. This can create problems with CPU usage, and it means there’s less flexibility in downloading files than Windows gives, but the security the tool gives consumers is worth it. Especially for folks who don’t know computers all that well, and may not understand how to browse the web safely. The MRT has a library of known viruses, and combines that knowledge with programming designed to combat new and unknown ones.

As said before, Apple’s pretty difficult to write viruses for. The MRT certainly contributes, but the OS itself boosts this difficulty to a point that hackers and cyber criminals don’t even try. It’s not impossible, but malware is custom-fitted for Macs. Windows viruses are just easier to make, and there’s more Windows devices than Macs, especially in the business world.

Don’t Click Random Ads – And Don’t Download Things

It’s unfortunate, but if a website’s not supporting ads from a large, trusted vendor like Google, they likely can’t vet every ad they sell space to. Anti-virus should help protect devices against ad intrusions, but what about everything else?

For other issues, like clicking links, the unfortunate answer is that it comes down to ‘street smarts’. It’s something employees and regular computer users need some training on. What looks suspicious to one user may not seem suspicious at all to another! Free-to-play games, for instance, might trick a child, while “recipe.exe” sent forward from chainmail might catch an older adult who doesn’t know what different file extensions mean.

What you can do if you’re struggling to separate good links from bad is listen to your device and carefully review the download. Is it what it says it should be (i.e recipe.pdf instead of recipe.exe)? Does the publisher’s credentials match the site you got it from? And does your computer throw a fit when you try to download it? Or warn you that the file may be from an unverified third party?

When in doubt, you can always Google the alert you’re getting – and err on the side of caution!

Sources:

https://www.sentinelone.com/blog/apples-malware-removal-mrt-tool-update

https://www.businessinsider.in/tech/news/over-30000-apple-macs-have-been-infected-with-a-high-stealth-malware-and-the-company-has-no-idea-why/articleshow/81145708.cms

https://www.cnn.com/2021/02/21/tech/mac-mysterious-malware/index.html

https://www.cnn.com/2020/11/10/tech/apple-silicon-chips-mac/index.html

https://redcanary.com/blog/clipping-silver-sparrows-wings