The first Apple Silicon Macs are only a few months away, and a lot of the popular apps have been updated with support for the M1 MacBook Air, Pro and Mac mini. Not far behind, which in nature looks like the first malware optimized for Apple Silicon.
The discovery was made by security researcher and founder of Objective-See, Patrick Wardle. In a very detailed deconstruction, Patrick told how he went about finding the new Apple Silicon-specific malware and why it matters.
While I was rebuilding my tools to achieve M1 compatibility, I reflected on the possibility that malware writers are also spending their time in a similar way. At the end of the day, malware is merely software (albeit malicious), so I thought it would make sense (eventually) that we would see malware built to run originally on Apple’s new M1 systems.
Before we look for native M1 malware, we need to answer the question, “How can we determine if a program was originally compiled for M1?” In short, it contains arm64 code! OK, and how can we determine that?
One simple way is via macOS ‘built-in file tool (or lipo-archs). Using this tool we can do a binary examination to see if it contains a composite arm64 code.
Patrick eventually used a free research account at VirusTotal to start his hunt. An important aspect to find out if there is malware optimized for Apple Silicon was to eradicate universal apps that are actually iOS binaries.
After narrowing things down, Patrick found ‘GoSearch22’ an interesting find.
After passing a few more checks, Patrick was able to confirm that it was malware suitable for M1 Macs.
Hooray, so we manage to find a macOS application that contains the original M1 code (arm64) … which is detected as malicious! This confirms that authors of malware / adware are indeed working to ensure that their malicious creations are naturally compatible with Apple’s latest hardware. 🥲
It is also important to note that GoSearch22 was indeed signed with an Apple Developer ID (hongsheng yan) on November 23, 2020:
Patrick notes that Apple has revoked the certificate at this point, so it is not known if Apple will notarize the code. But still …
What we do know is because this binary was detected in nature (and submitted by a user via an Objective-See tool) … so, whether it is notary or not, macOS users are infected.
With further digging, Patrick was able to learn that the GoSearch22 Apple Silicon-optimized malware is a variation on the ‘common but rather insidious’ Pirrit’ adware. ‘And specifically, this new case looks like it’ needs to ‘sustain a launch agent’ and ‘install itself as a malicious Safari extension’.
Even more noteworthy is that GoSearch22, which is compatible with Apple Silicon, appeared on December 27, a few weeks after the first M1 Macs were made available. And Patrick notes that a user actually submitted it to VirusTotal using one of Objective-See’s tools.
Why is this important?
In closing, Patrick shares some thoughts on why Apple implemented Silicon malware. First, it’s a real testament to how quickly malicious code evolves in response to Apple’s new hardware and software.
But in addition, the more important realization is that the current tools may not have the task of defending against arm64-macOS-focused malware:
Second, and more worrying, (static) analytics tools or antivirus engines can struggle with arm64 binaries.
Check out Patrick’s full technical post on Objective Sea here.
FTC: We use revenue to earn automatically affiliate links. More.
Check out 9to5Mac on YouTube for more Apple news: