The first Apple Silicon Macs were launched just a few months ago and a good portion of popular applications have been updated with native support for M1 MacBook Air, Pro and Mac mini. Not far away, what appears to be the first malware optimized for the Apple Silicon has been found on the loose.
The discovery was made by security researcher and founder of Objective-See, Patrick Wardle. In a highly detailed deconstruction, Patrick shared how he discovered the new Apple-specific malware Silicon and why it matters.
While I was working on rebuilding my tools to achieve native M1 compatibility, I considered the possibility that malware writers were also spending their time in a similar way. At the end of the day, malware is simply software (though malicious), so I figured it would make sense (eventually) to see malware created to run natively on Apple’s new M1 systems.
Before heading out to hunt for native M1 malware, we need to answer the question, “How can we determine if a program was compiled natively for M1?” Well, in short, it will contain the arm64 code! OK, and how can we verify this?
A simple way is through the integrated macOS archive tool (or lipo -archs). Using this tool, we can examine a binary to see if it contains compiled arm64 code.
Patrick ended up using a free VirusTotal researcher account to start his hunt. An important aspect to find out if there was any malware really optimized for the Apple Silicon was to eliminate universal applications that are actually iOS binaries.
After restricting things, Patrick found “GoSearch22” as an interesting finding.
After going through some more checks, Patrick was able to confirm that this is malware optimized for Macs M1.
Viva, we are able to find a macOS program containing native M1 (arm64) code … which was detected as malicious! This confirms that malware / adware authors are actually working to ensure that their malicious creations are natively compatible with Apple’s latest hardware. 🥲
It is also important to note that GoSearch22 was actually signed with an Apple developer ID (hongsheng yan) on November 23, 2020:
Patrick notes that Apple has revoked the certificate at this point, so it is not known if Apple authenticated the code. But anyway…
What we do know is that this binary was detected on the loose (and sent by a user using an Objective-See tool) … so, whether registered with a registry office or not, macOS users were infected.
With more research, Patrick was able to discover that the GoSearch22 Apple Silicon optimized malware is a variation of the “prevalent, but quite insidious, ‘Pirrit’” adware. And, specifically, this new instance seems to aim to “persist a boot agent” and “install itself as a malicious extension of Safari”.
Even more notably, GoSearch22 optimized for Apple Silicon first appeared on December 27, just weeks after the first M1 Macs became available. And Patrick notes that a user sent him to VirusTotal with one of the Objective-See tools.
Why is it significant
In conclusion, Patrick shares some ideas about why Apple-optimized malware is important. First, it is real proof of how quickly malicious code is evolving in response to Apple’s new hardware and software.
But in addition, there is the most important understanding that today’s tools may not be up to the task of defending against malware with a focus on macOS arm64:
Second, and most worrying, analysis tools (static) or anti-virus engines can have problems with arm64 binaries.
Check out Patrick’s full technical post on Objetivo-Veja here.
FTC: We use affiliate links for cars that generate revenue. Most.
Check out 9to5Mac on YouTube for more news from Apple: