Malware designed specifically to work with Apple’s M1 chip has been discovered, indicating that malware authors have begun adapting malware for Apple’s next-generation Macs with Apple silicon.
/article-new/2020/11/macbook-air-m1-unboxing-feature.jpg?resize=560%2C313&ssl=1)
Mac security researcher Patrick Wardle has now published a report, cited by With cable, which explains in detail how malware has begun to be adapted and compiled to run natively on the onM1 chip.
Wardle discovered the first known native malware M1 in the form of a Safari adware extension, originally written to run on Intel x86 chips. The malicious extension, called “GoSearch22”, is a known member of the “Pirrit” Mac adware family and was first seen in late December. Pirrit is one of the oldest and most active Mac adware families, and is known to be constantly changing in an attempt to evade detection, so it’s no surprise that it has already begun to adapt to the M1.
GoSearch22 adware is presented as a legitimate extension of the Safari browser, but collects user data and runs a large number of ads, such as banners and pop-ups, including some that link to malicious websites to proliferate more malicious software. Wardle says the adware was signed with an Apple developer ID in November to further disguise its malicious content, but has since been revoked.
Wardle points out that since the malware for M1 is still in its infancy, antivirus scanners do not detect it as easily as x86 versions and defensive tools such as antivirus engines have difficulty processing modified files. Signatures used to detect malware threats on the M1 chip have not yet been substantially observed, so security tools to detect and treat it are not yet available.
Investigators at security company Red Canary explained With cable other types of native M1 malware have also been found and are being investigated, other than Wardle’s results.
Only the MacBook Pro, MacBook Air, and Mac mini have Apple silicon chips at the moment, but the technology is expected to expand to the Mac range over the next two years. Given that all new Macs are expected to include Apple silicon chips like the M1 in the near future, it was inevitable that malware developers would end up starting to target Apple’s new machines.
While the malicious software originating from M1 that researchers have found does not appear to be unusual or especially dangerous, the emergence of these new varieties serves as a warning that more will likely come.
See the full Wardle report for more information on the first native M1 malware.