Red canary, a security company, discovered a second known malware, nicknamed “silver sparrow,” which was compiled to run native on the M1 Mac. The malicious package is said to use the MacOS installer JavaScript API to execute suspicious commands. However, after observing the malware for more than a week, red canary and its research partners did not observe the final malicious payload, so the specific threat brought by the malware is still a mystery.

Nevertheless, the red Canary said the malware could be “a fairly serious threat”:

Although we have not observed that “silver sparrow” provides more malicious payloads, its forward-looking M1 chip compatibility, global coverage, relatively high infection rate and operational maturity show that silver sparrow is a serious threat, and its unique positioning can provide a potentially influential payload in an instant.

According to the data provided by Malwarebytes, as of February 17, “silver sparrow” has infected 29139 MacOS systems in 153 countries, including “a large number of detection in the United States, the United Kingdom, Canada, France and Germany”. But the researchers didn’t say how many of them were M1 Macs.

Given that the “silver sparrow” binary “doesn’t seem to work that much,” security personnel call it the “bystander binary.”. When executed on an Intel based MAC, the malicious package only displays a blank window with the message “Hello, world!” while when executed on an apple silicon binary, a red window appears with the words “you did it!”

The first malware to run natively on the M1 Mac was discovered only a few days ago. The technical details of this second malware can be found in red Canary’s blog post.