Malware tailored to run on Apple’s M1 chip has been discovered, indicating that malware authors have started adapting malicious software for the new generation of Apple Macs with Apple silicon.
Mac security researcher Patrick Wardle has now published a report, quoted by Wired, which explains in detail how the malware started to be adapted and recompiled to run natively on the M1 chip.
Wardle discovered the first known malwareM1 native malware in the form of a Safari adware extension, originally written to run on Intel x86 chips. The malicious extension, called “GoSearch22,” is a well-known member of the Mac adware family “Pirrit” and was first identified in late December. Pirrit is one of the oldest and most active Mac adware families and is known to constantly change in an attempt to avoid detection, so it is not surprising that it has already started to adapt to the M1.
The GoSearch22 adware presents itself as a legitimate extension of the Safari browser, but it collects user data and serves a large number of ads, such as banners and pop-ups, including some links to malicious sites to proliferate more malware. Wardle says the adware was signed with an Apple developer ID in November to further hide its malicious content, but it has now been revoked.
Wardle notes that since malware for M1 is still at an early stage, antivirus scanners are not detecting it as easily as x86 versions and defense tools, such as antivirus engines, are struggling to process the patched files. The signatures used to detect malware threats on the M1 chip have not yet been substantially observed, so the security tools to detect and deal with this are not yet available.
Researchers at security firm Red Canary said Wired that other types of M1 native malware, other than Wardle’s findings, have also been found and are being investigated.
Only the MacBook Pro, MacBook Air and Mac mini have Apple silicon chips at the moment, but the technology is expected to expand across the Mac line in the next two years. Given that all new Mac computers are expected to feature Apple silicon chips like the M1 in the near future, it was somewhat inevitable that malware developers would eventually start targeting Apple’s new machines.
While the native M1 malware that the researchers discovered does not seem unusual or particularly dangerous, the emergence of these new varieties acts as a warning that there is likely to be more to come.
See Wardle’s full report for more information on the first native M1 malware.