A researcher has spotted the first piece of Mac malware that appears to have been created specifically for devices with Apple’s recently introduced M1 chip.
The malware was discovered by Patrick Wardle, a cybersecurity researcher who specializes in Apple products. Wardle has developed several free and open source security tools for Macs, and came up with the idea to look for malware designed to run natively on M1 systems while rebuilding his tools for native M1 compatibility.
The M1 system-on-chip (SoC), unveiled by Apple in November 2020, is designed for increased performance, as well as better security, with the Cupertino, Calif.-based tech giant claiming that it includes security protections built deep into its code execution architecture.
The M1 chip uses the arm64 CPU architecture and apps developed specifically for Macs powered by the M1 contain arm64 code. Wardle searched Google’s VirusTotal malware analysis service for such samples and discovered an app named GoSearch22, which turned out to be a variant of Pirrit, a piece of adware that has been around for several years.
The sample discovered by the researcher, submitted in late December 2020, had been signed with an Apple developer ID and it had apparently been detected in the wild. The adware variant developed for M1 systems was designed to install itself as a Safari extension, and packed various anti-analysis capabilities.
A small experiment conducted by Wardle also showed that static analysis tools and anti-malware engines could have trouble analyzing and detecting arm64 malware, compared to x86_64 binaries.
“Apple’s new M1 systems offer a myriad of benefits, and natively compiled arm64 code runs blazingly fast. Today, we highlighted the fact that malware authors have now joined the ranks of developers …(re)compiling their code to arm64 to gain natively binary compatibility with Apple’s latest hardware,” Wardle said in a blog post.
Thomas Reed, director of Mac & Mobile at cybersecurity firm Malwarebytes, told SecurityWeek that while this was inevitable, M1-native malware should not be a major concern for M1-powered Mac users.
“As an industry we have observed that the criminals behind Mac adware have demonstrated the most adaptability with macOS. I was less than surprised we saw this first happen in Pirrit, as it’s one of the oldest and most active Mac adware families – who are constantly changing to evade detection,” Reed said.
He added, “Overall, I don’t anticipate this being a huge issue in the near future, as antivirus software can detect the Intel code in a fat binary just as well as for an Intel-only binary. However, this does mean that our industry needs to prepare to see malware creators switch to single-architecture M1-only binaries as a means of evading detection. Antivirus companies need to stay proactive and begin to strategize how they will detect these threats as they evolve in the future.”
A report released earlier this week by Malwarebytes showed that while Mac malware detections on consumer devices decreased by 40% in 2020 compared to the previous year, detections in enterprise environments increased by 31%.