Malware categorically made to run on Apple’s M1 chip has been found, meaning that malware authors have started embracing malicious software for Apple’s new generation of Macs with Apple silicon.
Malware has begun to be adapted and recompiled to run natively on the M1 chip.
The first known native M1 malware has been discovered in the form of a Safari adware extension, basically written to run on Intel x86 chips. The malicious extension, named “GoSearch22,” is a prominent member of the “Pirrit” Mac adware family and was first traced at the end of December. Pirrit is one of the earliest and most active Mac adware families and has been known to steadily change in an endeavour to evade detection, so it isn’t surprising that it has already started adapting for the M1.
The GoSearch22 adware presents itself as a genuine Safari browser extension, but gathers user data and caters to a large number of ads like banners and popups, including some that link to malicious websites to generate more malware. The adware was signed with an Apple Developer ID in November to further hide its malicious content, but it has since been revoked.
As malware for the M1 is still at an initial stage, antivirus scanners are not finding it as conveniently as x86 versions and defensive tools like antivirus engines are trying to process the revised files. The signatures applied to identify threats from malware on the M1 chip have not yet been extensively observed, so the security tools to recognize and deal with it is still unavailable.
Researchers from security company Red Canary confirmed that other kinds of native M1 malware, different from the findings, have also been discovered and are being reviewed.
Only the MacBook Pro, MacBook Air, and Mac mini feature Apple silicon chips now, but the technology may expand across the Mac lineup over the next two years. So all new Mac computers can feature Apple silicon chips like the M1 in the near future. It was certain that malware developers would eventually begin targeting Apple’s new machines.
While the M1-native malware does not seem to be unique or unusually deadly, the emergence of these new varieties is a warning that there is possibly more to come.
See Wardle’s full report for more information about the first M1-native malware.