Apple last year introduced its first round of Macs equipped with its own silicon. Developers are not the only ones updating their apps and rewriting them for Apple’s latest hardware – hackers also are adapting their malware to take advantage of the ARM-based architecture of these new M1 Macs. And they are doing it quickly with the first M1-specific malware now circulating in the wild.
The first known M1 malware was spotted by Patrick Wardle, a security researcher, and Objective-See founder. Wardle went looking for malware because he suspected malware developers were working as hard as regular developers in supporting Apple’s M1 architecture.
As I was working on rebuilding my tools to achieve native M1 compatibility, I pondered the possibility that malware writers were also spending their time in a similar manner. At the end of the day, malware is simply software (albeit malicious), so I figured it would make sense that (eventually) we’d see malware built to execute natively on Apple new M1 systems.Patrick Wardle
In a recent post on his website, Wardle describes how he discovered the GoSearch22 malware and why this discovery is important.
How Was GoSearch22 Found?
Wardle began with a free account at VirusTotal and started his hunt. He started by filtering out all iOS apps and looking for apps compiled natively for the M1 processor.
Before going off hunting for native M1 malware, we need have to answer the question, “How can we determine if a program was compiled natively for M1?” Well, in short, it will contain arm64 code! OK, and how do we ascertain this?
One simple way is via the macOS’s built-in file tool (or lipo -archs). Using this tool, we can examine a binary to see if it contains compiled arm64 code.Patrick Wardle
Wardle then stumbled across an app, GoSearch22, which piqued his interest.
What Is GoSearch22?
GoSearch22, as Wardle discovered, is a native M1 application explicitly designed to run on Apple’s new ARM Macs.
According to Wardle, it was found in the wild and is an instance of the prevalent, yet rather insidious, ‘Pirrit’ adware that will install as a malicious Safari extension.
The application was signed with an Apple developer ID (hongsheng yan) on November 23rd, 2020, so it would run on any M1 mac.
Apple has since revoked the certificate, so it should no longer run on a Mac unless the developer re-signs it with another certification.
Why Is It Important?
Wardle points out that this discovery is significant because of the quick speed at which this malware was developed.
It appeared so quickly after the launch of Apple’s new Macs that current tools may not be able to detect this novel type of arm64 macOS-focused malware.