Malware specifically tailored to Apple’s M1 chip has been discovered, indicating that malware authors have begun modifying malicious software for Apple’s next-generation Macs with Apple silicon.
/article-new/2020/11/macbook-air-m1-unboxing-feature.jpg?resize=560%2C313&ssl=1)
Mac security researcher Patrick Wardle has now published a report quoted by Wired, which explains in detail how malware has begun to be modified and recompiled to run natively on the M1 chip.
Wardle discovered the first known native M1 malware in the form of a Safari adware extension, originally written for Intel x86 chips. The malicious extension called “GoSearch22” is a known member of the “Pirrit” Mac adware family and was first spotted in late December. Pirrit is one of the oldest and most active Mac adware families, and is known to change constantly in an attempt to bypass detection, so unsurprisingly, it has already started adapting for the M1.
The GoSearch22 adware presents itself as a legitimate Safari browser extension, but collects user data and displays a variety of advertisements such as banners and pop-ups, including some linking to malicious websites to spread more malware. Wardle says the adware was signed with an Apple Developer ID in November to further hide the malicious content, but it has since been withdrawn.
Wardle notes that since malware for the M1 is at an early stage, anti-virus scanners do not detect it as easily as x86 versions and defensive tools such as anti-virus engines struggle to process the changed files. The signatures used to detect malware threats on the M1 chip have not yet been substantially detected, so the security tools to detect and deal with them are not yet available.
Said researchers from security company Red Canary Wired that other types of native M1 malware, differing from Wardle’s findings, have also been found and are under investigation.
Only the MacBook Pro, MacBook Air and Mac mini currently have Apple silicon chips, but the technology is expected to expand into the Mac line in the next two years. Considering that all new Mac computers will include Apple silicon chips like the M1 in the near future, it was somewhat inevitable that malware developers would eventually turn to Apple’s new machines.
While the M1-native malware found by researchers doesn’t seem unusual or particularly dangerous, the emergence of these new variants is a warning that more are likely to come.
To learn more about the first M1 native malware, check out Wardle’s full report.