Malware for Mac has it has always been less common than its Windows-based counterparts, but in recent years the threat to Apple computers has become more popular. There are adware and even custom ransomware for Macs, and attackers are always looking to bypass Apple’s latest defenses. Now, hackers have released malware tailored to run on Apple’s new ARM-based M1 processors, released for the MacBook Pro, MacBook Air and Mac Mini in November.
Apple’s M1 chip is a departure from the Intel x86 architecture that Apple has been using since 2005 and gives Apple the opportunity to incorporate Mac-specific security features and protections directly into its processors. This transition required legitimate developers to work on building versions of their software that run “natively” on the M1 for optimal performance, rather than having to be translated by an Apple emulator called Rosetta 2. Not to be outdone, authors of malware started to transition as well.
Longtime Mac security researcher Patrick Wardle published findings on Wednesday about a Safari adware extension that was originally written to run on Intel x86 chips, but has now been redesigned specifically for M1. The malicious extension, GoSearch22, is a member of the infamous Pirrit Mac adware family.
“It shows that malware authors are evolving and adapting to keep up with Apple’s latest hardware and software,” says Wardle, who also develops security tools for open source Macs. “As far as I know, this is the first time we’ve seen this.”
Researchers at security firm Red Canary told WIRED that they are also investigating an example of native M1 malware that looks different from Wardle’s discovery.
Given that Apple’s ARM chips are the future of Mac processors, it was inevitable that malware authors would eventually start writing code just for them. Someone uploaded the adware tailored to the VirusTotal antivirus testing platform in late December, just over a month after the M1 laptops were shipped. Many researchers and organizations routinely upload malware samples to VirusTotal automatically or as a routine. The adware sample that Wardle found uses a standard tactic of posing as a legitimate extension of the Safari browser and then collecting user data and serving illicit ads such as banners and pop-ups, including those that target other malicious sites.
Apple declined to comment on the discovery. Wardle says the adware was signed with an Apple developer ID, a paid account that allows Apple to track all Mac and iOS developers on November 23. The company has already revoked the GoSearch22 certificate.
Malwarebytes Mac security researcher Thomas Reed agrees with Wardle’s assessment that the adware was not very new in itself. But he adds that it is important for security researchers to be aware that native M1 malware is not just coming, but is already here.
“It was definitely inevitable – compiling for M1 can be as easy as pressing a button in the project settings,” says Reed. “And honestly, I’m not surprised that it happened first in Pirrit. This is one of the most active Mac adware families, and one of the oldest, and is constantly changing to avoid detection. ”
The malicious Safari extension has some anti-analysis features, including logic to try to avoid debugging tools. But Wardle found that while VirusTotal’s suite of antivirus scanners easily identified the x86-based version of the adware as malicious, there was a 15% drop in detection of the M1 version.
“Certain defense tools, such as antivirus engines, struggle to process this ‘new’ binary file format,” says Wardle. “They can easily detect the Intel-x86 version, but they failed to detect the ARM-M1 version, although the code is logically identical.”