Amer Owaida, Security writer at ESET explains the disturbing trend that the first instance of malicious code native to Apple Silicon M1 Macs emerged a month after the release of devices equipped with the company’s in-house CPUs
In November, Apple debuted a series of Mac computers sporting its new Apple Silicon M1 chips to great acclaim. The release of the new hardware also grabbed the attention of enterprising cybercriminals, who prepared a “little” debut of their own – malware that can run specifically on devices fitted with the new Apple chipsets.
Apple’s new M1 processors use ARM-based architecture, a departure from the previous generation of Intel x86 processors that its computers previously came with. This has necessitated for applications developed for Macs to be either translated through Apple’s Rosetta 2 engine or coded anew to work natively on the new chips.
In the meantime, threat actors have been busy in their own way. Mac security researcher Patrick Wardle has disclosed details about malicious code that targets specifically computers running on Apple Silicon. Combing through VirusTotal and using specific search modifiers, Wardle was able to identify a macOS program that was written in native M1 code and was identified as malicious. The application, dubbed GoSearch22, was found to be a variant of the Pirrit adware family, a common threat targeting Mac users.
Applications such as GoSearch22 display unwanted coupons, banners, and pop-up ads that promote questionable webpages; however, they have also been observed to collect browsing data or other potentially sensitive information.
The new version seems to install itself as a malicious Safari extension and persist as a launch agent. It is worth noting that the malware strain was submitted into VirusTotal at the end of December 2020, a mere month after the launch of the new Mac computers.
“Rather awesomely, if we analyze details of the VirusTotal submission, it turns out this sample was submitted (by a user) directly through one of Objective-See’s tools (likely KnockKnock) …after the tool flagged the malicious code, due to its persistence mechanism,” Wardle said. This means that the malware has been detected in the wild and macOS users might have been infected.
“Today we confirmed that malicious adversaries are indeed crafting multi-architecture applications so that their code will natively run on M1 systems. The malicious GoSearch22 application may be the first example of such natively M1 compatible code,” he said.