Mac malware has always been less common than its Windows-targeting counterparts, but in recent years the threat to Apple computers has gone mainstream. There’s adware and even ransomware tailored to Macs, and attackers are always looking to circumvent Apple’s latest defenses. Now hackers have debuted malware tailored to run on Apple’s new ARM-based M1 processors, released for the MacBook Pro, MacBook Air, and Mac Mini in November.
Apple’s M1 chip is a departure from the Intel x86 architecture Apple has used since 2005, and it gives Apple the opportunity to bake specific Mac security protections and features directly into its processors. That transition has required legitimate developers to work on building versions of their software that run “natively” on M1 for optimal performance rather than needing to be translated through an Apple emulator called Rosetta 2. Not to be outdone, malware authors have started making the transition too.
Longtime Mac security researcher Patrick Wardle published findings on Wednesday about a Safari adware extension that was originally written to run on Intel x86 chips, but has now been redeveloped specifically for M1. The malicious extension, GoSearch22, is a member of the notorious Pirrit Mac adware family.
“This shows that malware authors are evolving and adapting to keep up with Apple’s latest hardware and software,” says Wardle, who also develops open source Mac security tools. “As far as I know, this is the first time we’ve seen this.”
Researchers from the security firm Red Canary tell WIRED that they are also investigating an example of native M1 malware that appears distinct from Wardle’s finding.
Given that Apple’s ARM chips are the future of Mac processors, it was inevitable that malware authors would eventually start writing code just for them. Someone uploaded the tailored adware to the antivirus testing platform VirusTotal at the end of December, a little over a month after the M1 laptops shipped. Many researchers and organizations routinely upload malware samples to VirusTotal automatically or as a matter of course. The adware sample Wardle found there takes a standard tactic of posing as a legitimate Safari browser extension and then collecting user data and serving illicit ads like banners and popups, including those that link to other malicious sites.
Apple declined to comment about the finding. Wardle says the adware was signed with an Apple developer ID, a paid account that allows Apple to keep track of all Mac and iOS developers, on November 23. The company has since revoked the GoSearch22 certificate.
Malwarebytes Mac security researcher Thomas Reed agrees with Wardle’s assessment that the adware was not very novel in itself. But he adds that it’s important for security researchers to be aware that native M1 malware is not just coming, but already here.
“It definitely was inevitable—compiling for M1 can be as easy as flicking a switch in the project settings,” Reed says. “And honestly, I’m not at all surprised by the fact that it happened in Pirrit first. That’s one of the most active Mac adware families, and one of the oldest, and they’re constantly changing to evade detection.”
The malicious Safari extension does have some anti-analysis features, including logic to try to avoid debugging tools. But Wardle found that while VirusTotal’s suite of antivirus scanners easily spot the x86-based version of the adware as malicious, there was a 15 percent drop in detection of the M1 version.
“Certain defensive tools like antivirus engines struggle to process this ‘new’ binary file format,” Wardle says. “They can easily detect the Intel-x86 version, but failed to detect the ARM-M1 version, even though the code is logically identical.”