Removal guides

Remove SILVER SPARROW Malware From Mac (Virus Removal Guide)

remove silver sparrow malware from macremove silver sparrow malware from mac

Silver Sparrow malware infects nearly 30,000 Macs across 164 countries

Silver Sparrow malware is a newly detected Mac virus targeting different OS X architectures, including Apple’s new M1 ARM64 architecture. The main purpose of this virus is to work as a backdoor to deliver malicious payloads to compromised system. Additionally, this virus uses Launch Agent technique to persist on the compyter and be hard to remove. According to reports, this new malware strain has already compromised 29,139 macOS computers in 164 countries, the majority of instances being the United States, the United Kingdom, Canada, Germany and France. In this article, we will explain how to remove this threat and secure your Mac for further usage.

Silver Sparrow malware usually spreads via fake software update advertisements online and arrives in a fake Apple installer package named update.pkg or updater.pkg that both include malicious JavaScript which launches before the actual package installation procedure. The user can see an ‘Install’ window that says ‘This package will run a program to determine if the software can be installed‘. Unfortunately, at this point the malware already resides in your system, despite your decision to click ‘Cancel‘ or ‘Continue.’

Silver Sparrow malware acts as a malware dropper on the system.

Following the discovery of this malware, Apple has taken actions to prevent further spread of it and revoked certificates for developer accounts used to sign the distributed packages. However, if you’re a Mac user, we still recommend checking if your computer wasn’t infected earlier.

Technical details about the malware

Silver Sparrow malware has two versions – version 1 contains a binary compiled for Intel x86_64 architecture, whole the version 2 includes binary designed for Intel x86_64 and M1 ARM64 architectures. This is unusual because the latter Apple architecture is very new and there haven’t been many instances of malware designed for it so far.

The malware dynamically generates malicious script in order to evade detection by security software. In addition, its process PlistBuddy creates LaunchAgent that instructs launchd, the Mac initialization system, to regularly run specific tasks. For example, this malware instructs launchd to execute a shell script every hour to download a JSON file to disk, convert its format to plist file, and use it to execute further malicious tasks.

So far, researchers didn’t observe any final payload, which means this malware was created by cybercriminals for testing purposes. The virus also includes several other tasks that seriously confused cybersecurity experts, for example, the malware includes a script that checks presence of ~/Library/._insu and, if found, removes all of its persistance mechanisms and scripts from computer.

The virus is also designed to gather information about infected system’s UUID and URL used to download the malware package from. It is believed that the criminals use this way to identify the most successful distribution channels.

After the installation, the virus displays a very basic placeholder. In version 1, it literally says “Hello World!” in dar grey background while the second one states “You did it!” in red background.

Two versions of text message displayed by the malware after installation.

If you’re wondering what does Silver Sparrow malware do, you should know that it is capable of installing and executing various kinds of Mac threats on the system, so ensure that you remove this virus professionally.

The list of possible activities that this Mac virus can initiate is limitless: it can drag a spyware application, such as adware, or spread more severe threats such as ransomware or Trojans. Such and similar threats can cause severe damage for your computer and your privacy and possibly lead to financial or personal data loss.

If you would like to detect and remove Silver Sparrow malware from your Mac, we strongly recommend a robust Mac antivirus that scores 100% detection rate in malware detection tests – INTEGO.

AUTOMATIC REMOVAL

See Full Review

Remove Silver Sparrow malware using INTEGO ANTIVIRUS for Mac (includes scanning for iOS devices). The one-of-a-kind security suite provides VirusBarrier X9 real-time protection against Mac and Windows-based malware, removes existing threats and scans for malware in popular e-mail clients. Includes NetBarrier X9, an intelligent firewall for home, work and public connections.

NameSilver Sparrow malware
TypeMac malware, Mac virus, Backdoor, Trojan
Target OSMac OS X (Intel x86_64 and M1 ARM64).
VersionsVersion 1: updater.pkg (MD5: 30c9bc7d40454e501c358f77449071aa);
Version 2: update.pkg (MD5: fdd6fb2b1dfe07b0e57d4cbfef9c8149).
Version 1 Detection namesOSX/Spisp.A (INTEGO), OSX/Agent.smpwq (Avira), Malicious (score: 85) (Cynet), MacOS:Agent-OC [Trj] (AVG), see full list on VirusTotal
Version 2 Detection namesOSX/Spisp.A (INTEGO), MacOS:Agent-OC [Trj] (AVG), Malicious (score: 85) (Cynet), OSX/Agent.rawsn (Avira), see full list on VirusTotal
DistributionMalicious online advertisements pushing fake software updates, illegal downloads such as software cracks, torrent downloads
RemoveWe strongly recommend powerful Mac antivirus – INTEGO as robust Silver Sparrow removal tool.
GET INTEGO ANTIVIRUS FOR MAC
Intego detects and removes Silver Sparrow malware as well all of its components from Mac with ease.

Mac malware distribution vectors: how to avoid getting infected

The primary Silver Sparrow malware distribution technique is identical to one used to spread the vast majority of persistent adware and other Mac-targeted malware – these applications are disguised in malicious online advertisements, typically offering fake software updates. Most of these infections arrive in PKG or DMG format files posing as legitimate Adobe Flash Player or Java update installers. Some examples of such ads are provided in the image below.

If you wish to avoid the hassle of checking whether you got infected with such and similar Mac malware or adware like SearchLee or Search Baron, try to stay away from dubious online websites that trigger random pop-up ads. Try to trust your judgement and avoid clicking on download or install buttons advertised by adult-only, gaming or gambling sites, also torrent-hosting sites and similar.

Additionally, we’d like to remind you to be careful with any installation files and choose trustworthy sources only to keep your computer secure. Ideally, download software only from well-known companies (make sure you visit their official websites for any downloads!) or the good old App Store.

How to Detect and Remove Silver Sparrow malware from Mac

In order to detect and remove Silver Sparrow malware from Mac, we strongly recommend using a trustworthy antivirus solution like INTEGO. We’d like to advise you that attempts to uninstall persistent Mac malware manually can be unsuccessful, especially if you’re not an experienced user.

In order to check and perform Silver Sparrow virus removal from Mac, download INTEGO and perform a full system scan. You can also check its review to learn more about its outstanding lab tests results.

OUR GEEKS RECOMMEND

Keep your Mac virus-free with INTEGO, an exceptional antivirus with an option to scan other iOS devices. The VirusBarrier X9 offers 24/7 real-time protection against Mac and Windows malware, includes intelligent firewall (NetBarrier X9) for protecting your incoming/outgoing connections at home, work or public hotspots and more.

INSTALL INTEGO

INTEGO antivirus is one of the leading security products for Mac that includes VirusBarrier X9 and NetBarrier X9 features allowing detection of viruses, ransomware, adware, browser hijackers, Trojans, backdoors and other threats and blocks suspicious network connections. If any detections are found, the software will eliminate them. Learn more about the software's features in its full review.

GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.

Silver Sparrow malware Removal Tutorial

Use the following guidelines to get rid of Silver Sparrow malware on Mac. You will need to eliminate suspicious components from several system folders, move unwanted applications to Trash, delete shady profiles and login items created by the potentially unwanted program. Once you complete these steps, follow the instructions how to clean each affected web browser individually.

Eliminate components of unwanted program from Mac system folders

  1. Click Go in the Mac's Finder toolbar and select Utilities.
  2. Here, double-click Activity Monitor app.
  3. In Activity Monitor, you will need to identify suspicious and resource-consuming apps, select them and click the X (Stop) button in the upper left corner of the window. Our suggestion is to search for Mac Security Plus, Spaces, BeAware, ScreenCapture or ScreenSaver apps and similar ones.
  4. After clicking the Stop button for an app, you will see a prompt asking do you really want to quit this process. Click Force Quit to continue.
  5. Now, click the Go button in Mac's Finder toolbar and select Go to Folder...
  6. Here, enter /Library/LaunchAgents and click Go.
  7. Look through the opened folder for suspicious components that possibly belong to the Silver Sparrow malware. Our recommendation is to look for unrecognized and recently added files. Then, move them to Trash/Bin.
    However, malware names hardly ever signal that they are somehow malicious, so you might want to check some questionable names online. For instance, examples of Mac malware related files include com.DataSearch.plist, com.ExpertModuleSearchP.plist, com.pcv.hlpramc.plist, com.updater.mcy.plist, com.avickUpd.plist, com.msp.agent.plist and similar.
  8. Using the Go to Folder feature, navigate to a location called ~/Library/Application Support. You can simply copy and paste this path to the go to Folder window and click Go.
  9. Here, identify suspicious folders and move them to Trash. Again, you need to use your common sense and look for recently added programs that aren't related to Mac OS or apps you installed willingly. Examples of unwanted folders include SystemSpecial, IdeaShared, ProgressMatch and DataSearch.
  10. Use Go to Folder feature once more to navigate to ~/Library/LaunchAgents.
  11. Here, identify suspicious components and move them to Trash.
  12. Now, navigate to /Library/LaunchDaemons and eliminate strange or suspicious-looking components possibly related to Silver Sparrow malware. Known examples of Mac-related malware store com.pplauncher.plist, com.ExpertModuleSearchDaemon.plist, com.DataSearchP.plist, com.startup.plist and similarly named files here.

Move unwanted applications to Trash

  1. Click on Finder.
  2. Go to Applications folder.
  3. Look for suspicious applications you can't remember installing. Right-click them and select Move to Trash.
  4. After moving all suspicious apps to Trash, right-click the Trash bin in Mac's Dock and select Empty Trash.

Remove unwanted startup applications on Mac

  1. Click on the Apple logo in the upper left corner and open System Preferences.
  2. In System Preferences, go to Users & Groups.
  3. Open Login items tab and look for suspicious applications that start during the Mac startup. Select unwanted app and click on minus (-) button to remove it from the list.

Delete malicious configuration profiles

  1. Go back by clicking < or close the window and reopen System Preferences via Mac toolbar. Go to Profiles.
  2. In Profiles, inspect entries on the left pane. Look for suspicious configuration profiles hijacking your browsers' settings and click the minus (-) button to remove them. Examples of known malicious profiles include Chrome Settings, AdminPrefs, Safari Settings, MainSearchPlatform, TechSignalSearch, TechLetterSearch and similar. In example below, the profile includes a suspicious link, although it can contain a function to force browser changes when user tries to revert them.

Safari Chrome Firefox

Remove Silver Sparrow malware from Safari

Uninstall suspicious Safari extensions

  1. Open Safari and click on Safari button in the top left corner. Select Preferences in the menu that appears on the screen.
  2. Now, go to Extensions tab. Look at the left to see all installed extensions, click on suspicious ones and hit that Uninstall button as shown in the picture. Confirm your choice by clicking Uninstall again. Repeat until you get rid of all unwanted extensions.

Change Safari Homepage and default search engine

  1. In Preferences, open the General tab. Here, check what URL is set as your homepage. Delete it and type in whatever URL you want to set as your Safari Start Page.
  2. Next, go to the Search tab. Here, choose what Search engine you want to set as default.
  3. Next, click on Manage websites... then Remove all... and then Done.

Remove push notifications on Safari

Some suspicious websites can try to corrupt your Safari by asking to enable push notifications. If you have accidentally agreed, your browser will be flooded with various intrusive advertisements and pop-ups. You can get rid of them by following this quick guide:

  1. Open Safari and click on Safari button in the top-left corner of the screen to select Preferences;
  2. Go to Websites tab and navigate to Notifications on the left side toolbar.

Reset Safari

  1. Click on Safari > Clear History...
  2. Then choose to clear All history and hit Clear History button to confirm.
  3. Go to Safari > Preferences and then open Privacy tab.
  4. Click Manage Website Data... then Remove All. To finish, click Done.
  5. Finally, clear Safari cache. In Safari Menu, click Develop > Clear Cache.
Safari Chrome Firefox

Remove Silver Sparrow malware from Google Chrome

Remove suspicious Chrome extensions

  1. Open Chrome and type chrome://extensions into address bar and press Enter.
  2. Here, look for suspicious extensions, and Remove them.
  3. Don't forget to confirm by pressing Remove in the confirmation pop-up.

Change Start Page settings

  1. In Chrome address bar, type chrome://settings and press Enter.
  2. Scroll down to the On startup section. Check for suspicious extensions controlling these settings, and Disable them.
  3. Additionally, you can set browser to Open a specific page or set of pages via these settings. Simply choose this option, click Add a new page, enter your preferred URL (f.e. www.google.com) and press Add.

Change default search settings

  1. In Chrome URL bar, type chrome://settings/searchEngines and press Enter. Make sure you type searchEngines, not searchengines. Additionally, you can go to chrome://settings and find Manage search engines option.
  2. First, look at the list of search engines and find the one you want to set as default. Click the three dots next to it and select Make Default.
  3. Finally, look through the list and eliminate suspicious entries. Right-click the three dots and select Remove from the list.

Remove push notifications from Chrome

If you want to get rid of the annoying ads and so-called push-notifications viruses, you must identify their components and clean your browser. You can easily remove ads from Chrome by following these steps:

  1. In Google Chrome, press on Menu (upward arrow) in the top-right corner of the window.
  2. Select Settings.
  3. Go to Privacy and Security > Site Settings.
  4. Open Notifications.
  5. Here, go to the Allow list and identify suspicious URLs. You can either Block or Remove by pressing on the three vertical dots on the right side of the URL. However, we suggest the Block option, so the site won't ask you to enable the notifications if you ever visit it again.

Reset Google Chrome browser

  1. The final option is to reset Google Chrome. Type chrome://settings in the URL bar, press Enter and then scroll down until you see Advanced option. Click it and scroll to the bottom of the settings.
  2. Click Restore settings to their original defaults.
  3. Click Restore settings to confirm.
Safari Chrome Firefox

Remove Silver Sparrow malware from Mozilla Firefox

Remove unwanted add-ons from Firefox

  1. Open Firefox and type about:addons in the URL bar. Press Enter.
  2. Now, click on Extensions (in the left section).
  3. Click Remove next to every suspicious browser add-on that you can't remember installing.

Change Firefox Homepage

  1. In Firefox address bar, type about:preferences and hit Enter.
  2. Look at the left and click the Home tab.
  3. Here, delete the suspicious URL and type or paste in the URL of a website you'd like to set as your homepage.

Alter preferences in Firefox

  1. Type about:config in Firefox address bar and hit Enter.
  2. Click I accept the risk! to continue.
  3. Here, type in the URL which has taken over your browser without your knowledge. Right-click each value that includes it and choose Reset.

Remove annoying push notifications from Firefox

Suspicious sites that ask to enable push notifications gain access to Mozilla's settings and can deliver intrusive advertisements when browsing the Internet. Therefore, you should remove access to your browser by following these simple steps:

  1. In Mozilla Firefox, click on Menu (the three horizontal bars) on the top-right corner of the window, then choose Options.
  2. Click on Privacy and Security, then scroll down to Permissions section.
  3. Here, find Notifications and click Settings button next to it.
  4. Identify all unknown URLs and choose to Block them. Click Save Changes afterward.

Reset Mozilla Firefox

  1. In Firefox, type about:support in the address bar and press Enter.
  2. Click on Refresh Firefox...
  3. Click Refresh Firefox again to confirm.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

Related posts:

  1. Remove QSearch Virus from Mac (2022 Guide) QSearch: a potentially unwanted program causing headache for Mac usersContentsQSearch:...
  2. Remove Mac Speedup Pro (Virus Uninstall Guide 2021) What is Mac Speedup Pro and things you should know...
  3. Remove Mac Auto Fixer (Review & Uninstall Guide) A Full Mac Auto Fixer reviewContentsA Full Mac Auto Fixer...
Leave a Comment
Published by
Norbert Webb
Tags: MacMac virus
1 year ago

Recent Posts

Private Internet Access Review 2022: Fast, Secure & Cheap VPN

Private Internet Access (PIA) VPN maintains its long-term role as a leader Private Internet Access…

23 hours ago

Remove XCBG Ransomware Virus (DECRYPT .xcbg FILES)

XCBG ransomware aims to lock your files and demand a ransom XCBG ransomware is a…

2 days ago

Remove BPQD Ransomware Virus (DECRYPT .bpqd FILES)

BPQD ransomware encrypts all computer files, demands a ransom from the user BPQD ransomware is…

2 days ago

Remove KQGS Ransomware Virus (DECRYPT .kqgs FILES)

KQGS ransomware is a hostile computer virus designed to encrypt all of your files KQGS…

2 days ago

Remove VTYM Ransomware Virus (DECRYPT .vtym FILES)

VTYM ransomware description: a virtual menace to your files stored on the computer VTYM ransomware…

1 week ago

Remove FOPA Ransomware Virus (DECRYPT .fopa FILES)

FOPA ransomware is a new threatening computer virus that encrypts your files FOPA ransomware virus…

1 week ago