The first malware optimized for Apple silicon Macs has now been discovered in the wild, affecting owners of Apple’s latest computers that are powered by its own M1 chip.
This new native malware was first detected in the wild on December 27, weeks after the first M1 Macs launched. Therefore, it’s entirely possible that some folks were infected.
Former NSA security researcher Patrick Wardle, writing on his Objective-See blog:
Today we confirmed that malicious adversaries are indeed crafting multi-architecture applications, so that their code will natively run on M1 systems. The malicious “GoSearch22” application may be the first example of such natively M1 compatible code.
So hackers have definitely begun recompiling malware for M1 Macs.
It is no secret that malware can affect Mac computers, and this example reinforces that notion. In his blog post, the security researcher dives deep into the technicalities behind identifying malware that’s built to execute natively on Apple’s M1 laptop chip.
Here’s How It Works
We won’t bore you with details beyond saying he’s used the file tools in macOS to examine malware binaries until he could identify native M1 code in one. Identified as malicious, “GoSearch22” has become the first malware truly optimized for Apple silicon Macs.
Considering “GoSearch22” is a form of the rather insidious “Pirrit” adware, it’s definitely not as innocuous as it might seem at first blush. According to Wardle, this particular strain of the “Pirrit” adware appears to persist as a launch agent.
Should I Be Concerned?
It also installs itself as a malicious Safari extension, he continued.
First, (and unsurprisingly), this illustrates that malicious code continues to evolve in direct response to both hardware and software changes coming out of Cupertino. There are a myriad of benefits to natively distributing native arm64 binaries, so why would malware authors resist?
Another point of concern, according to the security researcher, could be the fact that the current anti-virus engines struggle with native Apple silicon code. On the upside, Wardle highlights the importance of the security measures built into macOS.
As Apple has revoked the certificate, the malicious application will no longer run on macOS (unless of course, the attackers re-sign it with another certificate).
Your key takeaway should be that malware creators have started compiling their code to run natively on Apple’s latest Mac hardware. And that could prove problematic for some people because defensive security tools currently struggle to detect Apple silicon binaries.