The first Apple Silicon Macs have been out for just a few months, and a good number of popular apps have been updated with native support for the M1 MacBook Air, Pro and Mac mini. Not far behind, what appears to be the first malicious software optimized for Apple Silicon has been found in the wild.
The discovery was made by security researcher and founder of Objective-See, Patrick Wardle. In a very detailed deconstruction, Patrick shared how he went about finding the new Apple Silicon-specific malware and why this matters.
As I worked on rebuilding my tools to achieve native M1compatibility, I thought about the possibility that malware writers also spent their time in a similar way. At the end of the day, malware is simply software (albeit malicious), so I thought it would make sense that we (eventually) would see malicious software built to run naturally on Apple’s new M1 systems.
Before we go looking for native M1 malware, we need to answer the question, “How can we determine if a program was created naturally for M1?” In short, it will contain arm64 code! OK, and how do we find out?
An easy way is via macOS ‘built-in file tools (or lipo sheets). Using this tool, we can examine a binary to see if it contains compiled arm64 code.
Patrick ended up using a free research account with VirusTotal to start the hunt. An important aspect to find out if there was malicious software that was really optimized for Apple Silicon was to weed out universal apps that are actually iOS binaries.
After limiting things, Patrick found “GoSearch22” an interesting find.
After passing a few more checks, Patrick was able to confirm that this is malicious software optimized for M1 Macs.
Hooray, so we’ve succeeded in finding a macOS program that contains native M1 (arm64) code … which is detected as malicious! This confirms that the authors of the malware / adware are really working to ensure that their malicious creations are compatible with Apple’s latest hardware. 🥲
It is also important to note that GoSearch22 was actually signed with an Apple Developer ID (hongsheng yan) on November 23, 2020:
Patrick notes that Apple has revoked the certificate at this time, so it is not known if Apple has approved the code. But anyways …
What we do know is that this binary was discovered in nature (and sent by a user via an Objective-See tool) … so whether it was notarized or not, macOS users became infected.
With further digging, Patrick was able to learn that GoSearch22 Apple Silicon optimized malware is a variant of the “widespread but rather insidious” Pirrit “adware.” And in particular, this new instance looks like it aims to “sustain a launch agent” and “install itself as a malicious Safari extension.”
Even more specifically, GoSearch22 optimized for Apple Silicon first appeared on December 27, just weeks after the first M1 Macs were made available. And Patrick notes that a user actually sent it to VirusTotal using one of the Objective-See tools.
Why it’s important
Finally, Patrick shares some thoughts on why Apple Silicon optimized malware matters. First, there is real-world evidence of how rapidly malicious code is evolving in response to new Apple hardware and software.
But beyond that, the more important understanding is that current tools may not be up to the task of defending against arm64 macOS-focused malware:
Second, and more worryingly, (static) analysis tools or antivirus engines may struggle with arm64 binaries.
Check out Patrick’s full technical post on Objective-See here.
FTC: We automatically use affiliate links for revenue. More.
Check out 9to5Mac on YouTube for more Apple news: