Experts spotted the first malware tailored for Apple M1 Chip, it is just the beginning

Pierluigi Paganini February 19, 2021

Apple launched its M1 chip and cybercriminals developed a malware sample specifically for it, the latest generation of Macs are their next targets.

The popular security researcher Patrick Wardle discovered one of the first malware designed to target latest generation of Apple devices using the company M1 chip.

The discovery suggests threat actors are tailoring their malware to target the latest generation of Mac devices using the own processors.

Wardle discovered a Safari adware extension, tracked as GoSearch22, that was initially developed to run on Intel x86 chips, and now it was adapted to run on M1 chips.

“What we do know is as this binary was detected in the wild (and submitted by a user via an Objective-See tool) …so whether it was notarized or not, macOS users were infected.” reads the analysis published by Wardle. “Looking at the (current) detection results (via the anti-virus engines on VirusTotal), it appears the is an instance of the prevalent, yet rather insidious, ‘Pirrit’ adware:”

The malicious extension was signed with an Apple Developer ID “hongsheng_yan” in November to avoid detection, but it has since been revoked.

The malware is a variant of the Pirrit adware that was first spotted at the end of 2020.

The malware is able to collect browsing data and serves a large number of ads to the victims, including banners and popups. The malicious ads could also redirect unaware users to malicious websites used to distribute malicious payloads.

M1 chip malware detection

“The malicious GoSearch22 application may be the first example of such natively M1 compatible code.” continues Wardle. “The creation of such applications is notable for two main reasons:

  • First, (and unsurprisingly), this illustrates that malicious code continues to evolve in direct response to both hardware and software changes coming out of Cupertino. There are a myriad of benefits to natively distributing native arm64 binaries, so why would malware authors resist?
  • Secondly, and more worrisomely, (static) analysis tools or anti-virus engines may struggle with arm64 binaries. In a simple experiment, I separated out the x86_64 and arm64 binaries from the universal GoSearch22 binary (using macOS built-in lipo utility):”

Wardle pointed out that (static) analysis tools or antivirus engines face difficulties in analyzing ARM64 binaries, this is demonstrated by the fact that the detection rate for these malware is lower when compared to the Intel x86_64 version.

“Apple’s new M1 systems offer a myriad of benefits, and natively compiled arm64 code runs blazingly fast. Today, we highlighted the fact that malware authors have now joined the ranks of developers …(re)compiling their code to arm64 to gain natively binary compatibility with Apple’s latest hardware.” concludes Wardle.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, M1 chip)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment