Well, that didn’t take long.
It’s been about four months since Apple’s new Apple Silicon M1 system-on-a-chip (SoC) became available in MacBooks and Mac mini devices, and researchers discovered malware that works on the new chip. One malicious program dates back to November 2020, the same month M1 devices became available. However, most users likely don’t need to worry much yet.
Gizmodo cites two main reports of M1 malware. The first comes from security researcher Patrick Wardle, who published a blog detailing a malicious program reworked for the M1.
Dubbed ‘GoSearch22,’ the program is a Safari browser extension and a variant of the ‘Pirrit’ adware family. Ars Technica describes Pirrit as a “long-running malware family” that started on Windows and was later ported to macOS. Those interested can read more in reports published by researcher Amit Serper in 2016 and 2017.
In short, GoSearch22 behaves similarly to typical adware — it infects a device and then shows users coupons, banners, pop-up ads, surveys and more. Some of the ads promote shady websites and downloads. Plus, these types of malware often collect browsing data like IP addresses, websites users visit, search queries and more.
GoSearch22 was signed with a developer ID that allowed it to bypass macOS’ ‘Gatekeeper’
Gizmodo explains that GoSearch22 was signed with an Apple developer ID on November 23rd. That developer ID means the malware wouldn’t trigger the ‘Gatekeeper’ software on macOS. Gatekeeper is meant to help protect users from malicious software by notifying users when they attempt to download or install an unsafe program.
While developers can take an extra step of having Apple notarize the code for additional confirmation, Wardle noted in his blog post that it’s unclear if Apple ever notarized the code for GoSearch22. Apple has since revoked the malware’s certificate.
Regardless if Apple notarized the malicious software, Wardle says it infected macOS users.
The second report comes from Wired, which also outlined the Wardle blog. Additionally, Wired says security researchers from Red Canary told the publication that they’re investigating an example of native M1 malware that seems distinct from Wardle’s finding.
Some defensive tools like antivirus can struggle to catch malware for M1 chips
The presence of malware for M1 Macs shouldn’t come as much of a surprise. Contrary to popular belief, malicious apps do exist for macOS, and it was only a matter of time before the people behind those apps converted them to work on the M1.
“And honestly, I’m not at all surprised by the fact that it happened in Pirrit first. That’s one of the most active Mac adware families, and one of the oldest, and they’re constantly changing to evade detection,” Thomas Reed, a security researcher with Malwarebytes Mac, told Wired.
Wardle also told Wired that some defensive tools, like antivirus engines, struggle to catch the new M1 variants of malicious code.
“They can easily detect the Intel-x86 version, but failed to detect the ARM-M1 version, even though the code is logically identical,” Wardle said.
Red Canary echoed this, noting that there can often be a lag in detection rates while antivirus and other monitoring tools collect “signatures” — think digital fingerprints — from new malware.
Considering malware is already turning up for the M1 Mac, the detection ‘lag’ can be cause for concern. Malware is already in the wild, but detection hasn’t caught up. And according to Red Canary, building out detection capabilities for new platforms like the M1 can take time as software developers try to make sure they don’t break systems.
Thankfully, the first round of malware appears to be frustrating but not overly dangerous — but that doesn’t mean more dangerous malicious software won’t follow. Until detection services catch up, anyone with an M1-powered Mac should be extra careful about online activity and what software they install. Sticking to apps from trusted sources and avoiding shady websites could go a long way to keeping malware off your Mac.
Source: Gizmodo, Ars Technica, Wired, Patrick Wardle (Objective-See)