Malware specifically tailored to run on Apple’s M1 chip has been discovered, indicating that malware authors have begun adapting malicious software for Apple’s new generation of Macs with Apple silicon.
Wardle discovered the first known native M1 malware in the form of a Safari adware extension, originally written to run on Intel x86 chips. The malicious extension, called “GoSearch22,” is a well-known member of the “Pirrit” Mac adware family and was first spotted at the end of December. Pirrit is one of the oldest and most active Mac adware families, and has been known to constantly change in an attempt to evade detection, so it is unsurprising that it has already begun adapting for the M1.
The GoSearch22 adware presents itself as a legitimate Safari browser extension, but collects user data and serves a large number of ads such as banners and popups, including some that link to malicious websites to proliferate more malware. Wardle says the adware was signed with an Apple Developer ID in November to further conceal its malicious content, but it has since been revoked.
Wardle notes that since malware for the M1 is still at an early stage, antivirus scanners are not detecting it as easily as x86 versions and defensive tools like antivirus engines are struggling to process the amended files. The signatures used to detect threats from malware on the M1 chip have not yet been substantially observed, so the security tools to detect and deal with it are not yet available.
Researchers from security company Red Canary told Wired that other types of native M1 malware, distinct from Wardle’s findings, have also been found and are being investigated.
Only the MacBook Pro, MacBook Air, and Mac mini have Apple silicon chips at this time, but the technology is expected to expand across the Mac lineup over the next two years. Given that all new Mac computers are expected to feature Apple silicon chips like the M1 in the near future, it was somewhat inevitable that malware developers would eventually start to target Apple’s new machines.
While the M1-native malware that researchers have found does not seem to be unusual or particularly dangerous, the emergence of these new varieties acts as a warning that there is likely more to come.
See Wardle’s full report for more information about the first M1-native malware.