Hackers are constantly adapting their attacks to keep up with new technology—including Apple’s M1 chip used to power newer Macs. Malicious adversaries are crafting multi-architecture applications so that their code will natively run on Apple’s newer M1 systems, security researcher Patrick Wardle has detailed in a new blog.
Apple’s new M1 chip is ARM-based, with a CPU that supports an ARM64 (AArch64) architecture. Wardle discovered a malicious application, GoSearch22, which he believes may be the first example of natively M1 compatible code. “This is the first time we’ve seen this in the wild,” he says.
GoSearch22 was signed with an Apple developer ID (hongsheng yan) on November 23 2020, Wardle says. However, Apple has now revoked the certificate so the malicious app will no longer run on macOS—unless the attackers re-sign it with another certificate.
But this also means Wardle can’t tell if Apple notarized the code. “What we do know is, this binary was detected in the wild so whether it was notarized or not, macOS users were infected,” Wardle explains.
When Wardle used the anti-virus engines on VirusTotal to investigate, he found GoSearch22.app is an instance of the “Pirrit” adware. Among its attributes, this version of Pirrit installs itself as a malicious Safari extension.
Wardle found the issue while he was working on rebuilding his own tools to achieve native M1 compatibility. “I pondered the possibility that malware writers were also spending their time in a similar manner.
“At the end of the day, malware is simply software—albeit malicious—so I figured it would make sense that eventually we’d see malware built to execute natively on Apple new M1 systems.”
I asked Apple to comment on this story and will update it if the firm responds.
Malicious code continues to evolve
Wardle’s findings show just how quickly adversaries adapt in line with new technology. “This illustrates that malicious code continues to evolve in direct response to both hardware and software changes coming out of Cupertino,” Wardle says. “There are a myriad of benefits to natively distributing native ARM64 binaries, so why would malware authors resist?”
At the same time, Wardle warns that certain defensive tools such as anti-virus engines “struggle to process” this new’ binary file format. “While they can easily detect the Intel/x86_64 version, some failed to detect the ARM/M1 version (even though the code is logically identical).”
Apple’s macOS may seem more secure—its ecosystem is often referred to as a “walled garden”—but that doesn’t mean it is immune to malware. “MacOS is just as susceptible to malware as any other popular operating system such as Windows,” says Sean Wright, application security SME lead at Immersive Labs. “The fact that there is at least one known malicious app being created for the new Apple devices (using ARM) shows how often attackers seem to be one step ahead of defenders.”
However, Wright says, while this may seem alarming, there is no need to panic. He advises Mac users to follow best security practices and remain vigilant: “Don’t run or install unknown applications, or run attachments from unknown senders.”