Last year, Apple launched Macbooks and Mac Minis with a new ARM CPU – the Apple M1. A few months later, malware authors are already targeting new hardware directly. Wired interviewed Mac security researcher Patrick Wardle, who discovered a native M1 version of the long-running Mac Pirrit adware family.
Apple M1, malware and you
ARM CPUs have an Instruction Set Architecture (ISA) very different from traditional x86 CPUs for desktops and laptops, which means that software designed for one ISA cannot run on the other without assistance. M1 Macs can run x86 software with a translation layer called Rosetta, but native M1 applications, of course, run much faster – as we can see by comparing Google Chrome translated by Rosetta with the native M1 version.
When it comes to malware, Apple users have long benefited from the minority status of their platform. Ten years ago, the market share for the macOS operating system was only 6.5%, and few malware authors bothered to target it – but today that market share is approaching 20%. This increase in popularity has brought malware vendors along with it; the macOS malware ecosystem is still tiny and relatively crude compared to what plagues Windows, but it is very real.
The incentive for malware authors to target M1 directly is not huge – most existing macOS malware will run on a Mac equipped with M1 very well, via Rosetta 2. Malware authors generally don’t care much about performance – their cycles of CPU not after all, it costs them nothing. But there are still some benefits to targeting new hardware directly – the more efficient the malware code is, the less likely the owners of the computers it infects to notice it and / or care enough to eradicate it.
Find M1 native malware
Wardle used a researcher account on VirusTotal to search for instances of native M1 malware. The actual search he used was `type: male tag: arm tag: 64-bit tag: multi-arch tag: signed positives: 2 +` —that translates to “Apple signed multiple architecture executables that include ARM code 64-bit and have been signaled by at least two antivirus engines. “
This research, unfortunately, mainly produces malware targeting iOS with support for more than one ARM architecture – but it has restricted things enough for Wardle to manually analyze the results. He finally found a Safari extension called GoSearch22. The application package Info.plist file confirmed that it was actually a macOS application (not iOS).
The application has been signed with the Apple Developer ID hongsheng_yan in November 2020 – but we don’t know if Apple recognized him, since Apple revoked his certificate. With this certificate revoked, this version of GoSearch22 will no longer work on macOS – unless and until its authors manage to sign it with another developer key, at least.
We can also assume that this malware application infected real macOS users before the certificate was revoked – otherwise, it is extremely unlikely that it was submitted by the user to VirusTotal.
What does GoSearch22 do?
The native M1 malware that Wardle found triggered 24 separate malware detection mechanisms. Seventeen of those 24 positives were “generic” – but the remaining seven corresponded to signatures for the Pirrit adware family.
Pirrit is a long-standing malware family that started on Windows, but ended up being ported to macOS. His presence on macOS was first published by researcher Amit Serper in 2016, with a remarkable follow-up by Serper in 2017.
If you are interested in knowing where all the bodies are buried – for the Pirrit code itself and for the TargetingEdge company that proliferates it – I strongly recommend Serper’s very detailed and informative articles. But if you are looking for just a short version: Pirrit variants display unwanted ads and are frankly unpleasant about this.
After a user installs any shiny Trojan in which the Pirrit variant in question came wrapped – which may be a fake video player, PDF reader or seemingly benign Safari extension – the user’s default search engine is changed to something unpleasant and useless, the web browser usage is tracked and the pages visited are infested with unwanted advertisements.
This is all bad enough on its own; but Pirrit also uses all the stable malware tricks to stay installed, avoid detection and make life generally difficult for anyone trying to “interfere” with it. Pirrit searches for and removes applications and browser extensions that may interfere with it, hides itself from attempts to find it by staying outside the application directory, gains root access to the Macs on which it is installed and overshadows its code in an attempt to do so more difficult to detect and analyze.