One of the first malicious software samples tailored to run natively on Apple’s M1 chip has been discovered, suggesting a new development indicating that bad actors have begun adapting malware to target the company’s latest generation of Macs powered by its own processors.
While the move to Apple silicone has required developers to build new versions of their apps for better performance and compatibility, malicious software writers are now taking similar steps to build malware that can natively operate on Apple’s new M1 systems, according to macOS Security researcher. Patrick Wardle.
Wardle detailed a Safari adware extension called GoSearch22 that was originally written to run on Intel x86 chips but has since been ported to run on ARM-based M1 chips. The rogue extension, which is a variant of Pirrit advertising malware, was first seen in the wild on November 23, 2020, according to a sample uploaded to VirusTotal on December 27.
“Today we confirmed that malicious adversaries are indeed crafting multi-architecture applications, so that their code will run natively on M1 systems,” Wardle said in a writing published yesterday. “The malicious GoSearch22 application may be the first example of code compatible with such M1.”
Although M1 Macs can run x86 software with the help of a dynamic binary translator called Rosetta, the benefits of native support mean not only efficiency improvements but also the increased likelihood of staying under the radar without attracting any unwanted attention.
First documented in 2016, Pirrit is an ongoing Mac adware family that is famous for pushing intrusive and fraudulent ads to users who, when clicked, download and install unwanted apps that come with information gathering features.
For its part, the heavily-loaded GoSearch22 adware disguises itself as a legitimate Safari browser extension when in fact, it collects browsing data and serves a large number of ads such as banners and popup windows, including those that link to suspicious websites to distribute additional malicious software.
Wardle said the extension was signed with an Apple Developer ID “hongsheng_yan” in November to further hide its malicious content, but has since been revoked, meaning the application will no longer run on macOS unless that attackers re-sign it with another certificate.
While the development highlights how malicious software continues to evolve in direct response to both hardware changes, Wardle cautioned that “(static) analysis tools or antivirus engines may struggle with arm64 binaries,” with solutions of industry-leading security software down 15% compared to the Intel x86_64 version.
GoSearch22’s malicious software capabilities may not be entirely new or dangerous, but that’s beside the point. If anything, the emergence of new malicious software signs compatible with the M1 is just the beginning, and more variants are likely to arise in the future.