First Malware Running Natively on M1 Chip Discovered

[MacRumors]

Malware specifically tailored to run on Apple's M1 chip has been discovered, indicating that malware authors have begun adapting malicious software for Apple's new generation of Macs with Apple silicon.

Mac security researcher Patrick Wardle has now published a report, cited by Wired, that explains in detail how malware has started to be adapted and recompiled to run natively on the M1 chip.

Wardle discovered the first known native M1 malware in the form of a Safari adware extension, originally written to run on Intel x86 chips. The malicious extension, called "GoSearch22," is a well-known member of the "Pirrit" Mac adware family and was first spotted at the end of December. Pirrit is one of the oldest and most active Mac adware families, and has been known to constantly change in an attempt to evade detection, so it is unsurprising that it has already begun adapting for the M1.

The GoSearch22 adware presents itself as a legitimate Safari browser extension, but collects user data and serves a large number of ads such as banners and popups, including some that link to malicious websites to proliferate more malware. Wardle says the adware was signed with an Apple Developer ID in November to further conceal its malicious content, but it has since been revoked.

Wardle notes that since malware for the M1 is still at an early stage, antivirus scanners are not detecting it as easily as x86 versions and defensive tools like antivirus engines are struggling to process the amended files. The signatures used to detect threats from malware on the M1 chip have not yet been substantially observed, so the security tools to detect and deal with it are not yet available.

Researchers from security company Red Canary told Wired that other types of native M1 malware, distinct from Wardle's findings, have also been found and are being investigated.

Only the MacBook Pro, MacBook Air, and Mac mini have Apple silicon chips at this time, but the technology is expected to expand across the Mac lineup over the next two years. Given that all new Mac computers are expected to feature Apple silicon chips like the M1 in the near future, it was somewhat inevitable that malware developers would eventually start to target Apple's new machines.

While the M1-native malware that researchers have found does not seem to be unusual or particularly dangerous, the emergence of these new varieties acts as a warning that there is likely more to come.

See Wardle's full report for more information about the first M1-native malware.

Article Link: First Malware Running Natively on M1 Chip Discovered

 

[ck2875]

malware authors have begun adapting malicious software for Apple's new generation of Macs with Apple silicon.

They probably needed to get their malware out the door so they could get the $500 voucher for returning the Dev. Kit. to Apple.

 

[Apple_Robert]

This is very concerning. I hope Apple can help lock down the M1 even more. It looks like it is time to load Malwarebytes on my M1.

 

[TheYayAreaLiving 🎗️]

Oh ohhh! Sounds like trouble. New update coming soon from Apple. Nothing to worry about. 🥸

 

[jasoncarle]

Wouldn't just not adding rando browser extensions to Safari protect you from this?

 

[Dark_Omen]

I wish I was a loser that had no life to the point where I create malware to infect other people's machines.

Oh wait, no I don't.

 

[Apple_Robert]

Wouldn't just not adding rando browser extensions to Safari protect you from this?

Probably so. I am more concerned about the Malware spoken of that we still don't know anything about. It is time to be proactive and not assume anything.

 

[baryon]

But Safari extensions were long deprecated ever since Catalina, and now you can only install them from the App Store, for this very reason, to prevent malware. How is this even still possible?

 

[code-m]

This is very concerning. I hope Apple can help lock down the M1 even more. It looks like it is time to load Malwarebytes on my M1.

Uncertain if overlooked.

Quote: “Wardle notes that since malware for the M1 is still at an early stage, antivirus scanners are not detecting it as easily as x86 versions and defensive tools like antivirus engines are struggling to process the amended files. The signatures used to detect threats from malware on the M1 chip have not yet been substantially observed, so the security tools to detect and deal with it are not yet available.”

 

[Apple_Robert]

Uncertain if overlooked.

Quote: “Wardle notes that since malware for the M1 is still at an early stage, antivirus scanners are not detecting it as easily as x86 versions and defensive tools like antivirus engines are struggling to process the amended files. The signatures used to detect threats from malware on the M1 chip have not yet been substantially observed, so the security tools to detect and deal with it are not yet available.”

I read that. Malwarebytes has an excellent history of catching things early and sounding the alarm. If it isn't detected early on, at least I did what I could.

If I am not mistaken, the original developer of Malwarebytes was a regular member here. I don't know if he is still around.

 

[gaximus]

Its still something someone has to install, correct? It's not like it can be installed vi email or smoother exploit, right?

 

[code-m]

I wish I was a loser that had no life to the point where I create malware to infect other people's machines.

Oh wait, no I don't.

That/Those “losers” may well be receiving an Apple Bug Bounty.

 

[code-m]

I read that. Malwarebytes has an excellent history of catching things early and sounding the alarm. If it isn't detected early on, at least I did what I could.

If I am not mistaken, the original developer of Malwarebytes was a regular member here. I don't know if he is still around.

Send them an email, I am curious to here the response on your concern.

 

[jz0309]

this really should not be a surprise, had to happen sooner or later, unfortunately

 

[ThaGoochiestMane]

The problem with cybersecurity is that it's a never-ending arms race.

Hackers will make malware for devices that are being used, so this was inevitably going to happen. And the reason there is more malware targeting Windows than any other OS is simply because it's the most popular OS in the world, and it all boils down to a numbers game.

So I wouldn't be that worried about this (assuming you're already being responsible with downloads & extensions), as it really won't be a problem until M1 Macs outnumber Intel-ones (and more realistically all Intel PCs). Or if the machines are truly that powerful that it's worth focusing resources to go after (what is currently) a relatively small-market.

 

[Z400Racer37]

You'll have to Jailbreak these things soon...

 

[casperes1996]

Good to see more software natively supported

 

[Apple_Robert]

Very good article by Wardle. Good to see that Apple revoked the cert for GoSearch22. I am surprised Apple didn't terminate the developer account as well.

 

[ouimetnick]

This is very concerning. I hope Apple can help lock down the M1 even more. It looks like it is time to load Malwarebytes on my M1.

Or just be careful what you install. Don’t be like my mother and click every pop up that appears. 😬 No need to lock down the Mac any further. At that point you mind as well just use an iPad then.

I’m not concerned. I’ve been a Mac user since 2010 and have never gotten any malware or crap. I’m cautious of pop-ups and only download software/add-on’s direct from the developer’s website.

Looks like it’s time to continue to be cautious, not download Malwarebytes (great software for Windows though)

 

[ouimetnick]

Very good article by Wardle. Good to see that Apple revoked the cert for GoSearch22. I am surprised Apple didn't terminate the developer account as well.

How do you know that Apple hasn’t terminated the developer’s account?

 

[Apple_Robert]

Or just be careful what you install. Don’t be like my mother and click every pop up that appears. 😬 No need to lock down the Mac any further. At that point you mind as well just use an iPad then.

I am very careful about what I do on my Mac.

My mother and father on the other hand, can't say the same. They are on Windows, though. I tried to get them to convert years ago but, they wouldn't.

 

[Apple_Robert]

How do you know that Apple hasn’t terminated the developer’s account?

I don't. Wardle only mentioned the cert status. Maybe it was done after Wardle's article.

 

[mi7chy]

ARM architecture isn't new and doesn't automatically make it safe. The vulnerability is MacOS on ARM is new so buggy that it'll be target of vulnerability attacks.

 

[code-m]

Hackers will make malware for devices that are being used, so this was inevitably going to happen. And the reason there is more malware targeting Windows than any other OS is simply because it's the most popular OS in the world, and it all boils down to a numbers game.

The definition of “popular” is a far stretch. Windows is simply easily available may it be via OEM or individual purchased license unlike macOS other than having the technical know how to install it on a hackintosh with limited driver support, Windows can be obtained via questionable sources and can be run on most affordable hardware via a sum of its parts or a package which Can be done with Mac to a very very limited and deep pocket degree.

If the playing field was levelled it may tell a different story.

 

[Apple_Robert]

ARM architecture isn't new and doesn't automatically make it safe. The vulnerability is MacOS on ARM is new so buggy that it'll be target of vulnerability attacks.

That is true. Time for people to take off the rose-colored glasses.