Mac malware has has historically been less common than its counterparts targeting Windows, but in recent years the threat to Apple computers has become widespread. There is adware and even ransomware suitable for Macs, and attackers are always looking to circumvent Apple’s latest defenses. Now, hackers have launched malware designed to run on Apple’s new ARM-based M1 processors, released for the Macbook Pro, Macbook Air, and Mac Mini in November.
Apple’s M1 chip is a break from the Intel x86 architecture that Apple has been using since 2005, and it gives Apple the ability to build specific Mac protections and security features directly into its processors. This transition has forced legitimate developers to work on creating versions of their software that run “natively” on M1 for optimal performance rather than having to be translated via an Apple emulator called Rosetta 2. Not to be outdone, malware writers have also started to make the switch.
Patrick Wardle, longtime Mac security researcher published results Wednesday on a Safari adware extension that was originally written to run on Intel x86 chips, but has now been redeveloped specifically for M1. The malicious extension, GoSearch22, is part of the popular Pirrit Mac adware family.
“This shows that malware writers are evolving and adapting to keep up with the latest hardware and software from Apple,” said Wardle, who also develops open source security tools for Mac. “As far as I know, this is the first time we are seeing this.”
Researchers at security firm Red Canary tell WIRED they’re also investigating an example of native M1 malware that appears to be separate from Wardle’s discovery.
Given that Apple’s ARM chips are the future of Mac processors, it was inevitable that malware authors would end up writing code just for them. Someone uploaded the custom adware to the VirusTotal antivirus testing platform at the end of December, just over a month after the M1 laptops were delivered. Many researchers and organizations regularly upload malware samples to VirusTotal, either automatically or naturally. The adware example Wardle finds there adopts a standard tactic of masquerading as a legitimate Safari browser extension, then collecting user data and serving illicit ads like banners and pop-ups, including including those that link to other malicious sites.
Apple declined to comment on the discovery. Wardle says the adware was signed with an Apple Developer ID, a paid account that allows Apple to track all Mac and iOS developers, on November 23. The company has since revoked the GoSearch22 certificate.
Malwarebytes Mac security researcher Thomas Reed agrees with Wardle that the adware wasn’t very new on its own. But he adds that it’s important for security researchers to be aware that native M1 malware is not just coming, but already here.
“It was definitely inevitable – compiling for M1 can be as easy as flipping a switch in the project settings,” says Reed. “And honestly, I’m not at all surprised that this first happened in Pirrit. It’s one of the most active and oldest Mac adware families, and they are constantly changing to escape detection. ”
The malicious Safari extension has some anti-scanning features, including logic to try to avoid debugging tools. But Wardle found that while VirusTotal’s anti-virus scanner suite easily detected the x86 version of the adware as malicious, the detection of version M1 was reduced by 15%.
“Some defensive tools like anti-virus engines have trouble dealing with this ‘new’ binary file format,” says Wardle. “They can easily detect the Intel-x86 version, but failed to detect the ARM-M1 version, even though the code is logically the same.”