Connect with us

Hi, what are you looking for?



Mac Malware Targeting Apple’s M1 Chip Emerges

A researcher has spotted the first piece of Mac malware that appears to have been created specifically for devices with Apple’s recently introduced M1 chip.

A researcher has spotted the first piece of Mac malware that appears to have been created specifically for devices with Apple’s recently introduced M1 chip.

The malware was discovered by Patrick Wardle, a cybersecurity researcher who specializes in Apple products. Wardle has developed several free and open source security tools for Macs, and came up with the idea to look for malware designed to run natively on M1 systems while rebuilding his tools for native M1 compatibility.

The M1 system-on-chip (SoC), unveiled by Apple in November 2020, is designed for increased performance, as well as better security, with the Cupertino, Calif.-based tech giant claiming that it includes security protections built deep into its code execution architecture.

The M1 chip uses the arm64 CPU architecture and apps developed specifically for Macs powered by the M1 contain arm64 code. Wardle searched Google’s VirusTotal malware analysis service for such samples and discovered an app named GoSearch22, which turned out to be a variant of Pirrit, a piece of adware that has been around for several years.

The sample discovered by the researcher, submitted in late December 2020, had been signed with an Apple developer ID and it had apparently been detected in the wild. The adware variant developed for M1 systems was designed to install itself as a Safari extension, and packed various anti-analysis capabilities.

A small experiment conducted by Wardle also showed that static analysis tools and anti-malware engines could have trouble analyzing and detecting arm64 malware, compared to x86_64 binaries.

“Apple’s new M1 systems offer a myriad of benefits, and natively compiled arm64 code runs blazingly fast. Today, we highlighted the fact that malware authors have now joined the ranks of developers …(re)compiling their code to arm64 to gain natively binary compatibility with Apple’s latest hardware,” Wardle said in a blog post.

Thomas Reed, director of Mac & Mobile at cybersecurity firm Malwarebytes, told SecurityWeek that while this was inevitable, M1-native malware should not be a major concern for M1-powered Mac users.

Advertisement. Scroll to continue reading.

“As an industry we have observed that the criminals behind Mac adware have demonstrated the most adaptability with macOS. I was less than surprised we saw this first happen in Pirrit, as it’s one of the oldest and most active Mac adware families – who are constantly changing to evade detection,” Reed said.

He added, “Overall, I don’t anticipate this being a huge issue in the near future, as antivirus software can detect the Intel code in a fat binary just as well as for an Intel-only binary. However, this does mean that our industry needs to prepare to see malware creators switch to single-architecture M1-only binaries as a means of evading detection. Antivirus companies need to stay proactive and begin to strategize how they will detect these threats as they evolve in the future.”

A report released earlier this week by Malwarebytes showed that while Mac malware detections on consumer devices decreased by 40% in 2020 compared to the previous year, detections in enterprise environments increased by 31%.

Related: XCSSET Mac Malware Steals Information, Spreads via Xcode Projects

Related: Several New Mac Malware Families Attributed to North Korean Hackers

Related: ThiefQuest Mac Malware Includes Ransomware, Data Theft Capabilities

Related: Repurposing Mac Malware Not Difficult, Researcher Shows

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.