The MacBook Air, MacBook Pro, and Mac mini unveiled in November 2020 represented a major shift for Apple. Powered by the company’s M1 system on a chip (SoC), the new devices have marked the beginning of a two-year transition process from Intel-based architecture to Apple’s own processors, known as Apple silicon. Just a few months later, the first malware capable of running natively on M1 SoCs has been found by cybersecurity researchers. What does the transition to Apple silicon mean for Mac security and how is the Mac threat landscape expected to evolve? We’re going to look at the latest types of Mac malware, Silver Sparrow, Pirrit, and XCSSET, as well as the broader threats to Mac security.
Security features in Apple silicon
The story of Apple silicon begins with the company’s first iPhone, released in 2010. Apple has been developing its own custom chipsets based on ARM architecture for its mobile devices, wearables, and smart-home devices. However, the MacBook and iMac computers have been powered by Intel processors based on x86 CPU architecture since 2005, when the company shifted from IBM’s PowerPC processors. Now, with the adoption of Apple Silicon for the Mac line-up, Apple is aiming to strengthen its ecosystem by establishing a common architecture across all Apple product lines.
Apple’s ARM-based chipsets are known for their superior security and encryption, for which the Secure Enclave coprocessor is responsible. Secure Enclave was first introduced on the Apple A7 processor, when Apple changed the game for mobile devices by introducing Touch ID on the iPhone 5S. The Secure Enclave coprocessor includes a hardware-based key manager, separated from the main processor and capable of maintaining the security of cryptographic operations even if the device kernel is compromised. Together with the AES-256 crypto engine, it protects sensitive information such biometric data.
Apple’s new octa-core M1 chip includes the newest version of Secure Enclave, AES-256 encryption, and a hardware-verified secure boot, which verifies that the software loaded during startup contains only Apple-approved code. As Apple explains: “The Apple M1 chip is designed to verify that the version of macOS software loaded during startup is authorized by Apple, and continues behind the scenes to protect the authorizations established for macOS as it runs.”
Like any new and exciting technology, the new M1 chip powering the latest Macs spurred the interest of developers. Just as legitimate app developers have been rushing to make their apps compatible with the new MacBooks, so have malware developers. Even though the ARM architecture is not as popular as the x86 architecture, it took only a few months for the first M1-native malware to appear: Silver Sparrow and Pirrit. The myth that Apple computers are secure by default has been challenged many times, and the agility with which types of Mac malware were adapted for the new architecture is just another proof that Macs also need additional protection.
Get free malware protection for your Mac
Avira Free Security is the best antivirus for Mac, including free VPN, password manager, and more
Apple M1 native malware
Uncovered by researchers at Red Canary in February 2021, Silver Sparrow is a curious type of malware because it does not possess an actual payload, meaning that it does not have a functionality. So far, all the 40,000 Macs infected have not been affected by additional components triggered after downloading Silver Sparrow. The binaries delivered were simple “bystanders”, as called by the Red Canary research team. This prompted some cybersecurity researchers to consider Silver Sparrow a simple proof of concept that spread to a large number of devices. However, this doesn’t mean that it is not a threat to Mac security.
“Even if Silver Sparrow seems to be still in the early stages of development and activity, the fact that it can download and run any binary in a stealthy approach raises concerns in terms of security, but also gives a glimpse into the purpose of the attackers: they could use this method to further evolve Silver Sparrow, transforming it into a more serious threat or download other malware families, thus using Silver Sparrow as rentable distribution channel for other malicious files,” says Bogdan Anghelache from Avira Protection Labs.
According to Avira Protection Labs, there are two versions of this malware family: one that is compiled only for the Intel x86_64 architecture (can be recognized by the agent_updater string IOC) and one that is compiled for both Intel x86_64 and Apple M1 ARM architectures (can be recognized by the verx_updater string IOC).
Pirrit is an adware that has been distributed as utility software since 2016. Disguised as a video player or PDF reader, Pirrit has been infecting macOS and Windows devices. It has the capacity to make itself persistent, which means that it can run in the background, by creating a LaunchDaemon and posing as a legitimate Apple application.
Pirrit is used to spy on users’ browser activities and inject advertisements into the browser. After being installed, it typically scans the extensions installed in Safari and removes them. In conducting its spying and ads injecting activities, OSX Pirrit evolved from downloading and installing malicious browser injections to modifying internal properties of different installed browsers such as Firefox and Chrome. It also changes the browser’s default search provider to “tika-search.com” or “delta-search.com”. OSX Pirrit uses a specially crafted binary that runs in the background to take control over the targeted browser and monitor the user activity. Based on that activity (links visited, search queries), this malicious component injects ads into the web page or opens new tabs with a specific ad.
Since the infected Xcode projects are modified to run a malicious code, not only does XCSSET affect the victim’s computer, but also all other users to whom developers distribute their project. With many developers collaborating on platforms such as GitHub, the malware can be easily spread and generate supply-chain attacks.
How is the Mac threat landscape expected to evolve?
Apple has just begun its transition to ARM processors for Mac, and the Intel x86 and ARM architectures will coexist for a long time. At this point, Intel’s x86 architecture dominates the market by far and, consequently, the volume of malware targeting x86 devices is much higher. However, cybercriminals’ interest in the ARM architecture will rise in parallel to the public’s interest. Silver Sparrow, Pirrit, and XCSSET are just the first of many threats that will be targeting ARM-based Macs, threatening Mac security.
For end users, it’s important to be aware of all the dangers lurking online, from the different types of viruses and malware to phishing and elaborate social engineering attacks. With a good knowledge of cyberthreats and the right tools to protect your devices and data, the risk of falling prey to cybercriminals is low. For additional protection, make sure to check out Avira Free Security for MacOS.