M1 Malware Has Arrived

M1 Malware Has Arrived
Image: Apple

Now that Apple has officially begun the transition to Apple Silicon, so has malware.

Security researcher Patrick Wardle published a blog detailing that he’d found a malicious program dubbed GoSearch22, a Safari browser extension that’s been reworked for Apple’s M1 processor. (The extension is a variant of the Pirrit adware family, which is notorious on Macs.) Meanwhile, a new report from Wired also quotes other security researchers as finding other, distinct instances of native M1 malware from Wardle’s findings.

The GoSearch22 malware was signed with an Apple developer ID on Nov. 23,  2020 — not long after the first M1 laptops were first unveiled. Having a developer ID means a user downloading the malware wouldn’t trigger Gatekeeper on macOS, which notifies users when an application they’re about to download may not be safe. Developers can take the extra step of submitting apps to Apple to be notarized for extra confirmation. However, Wardle notes in his writeup that it’s unclear whether Apple ever notarized the code, as the certificate for GoSearch22 has since been revoked. Unfortunately, he also writes that since this malware was detected in the wild, regardless of whether Apple notarised it, “macOS users were infected.”

Apple’s Fantastic M1 Processor Is Held Back by Software Compatibility

It’s easy to look at the benchmark numbers of Apple’s home-grown processor with wide, astonished eyes — and some heart-felt expletives, too. The M1 is no doubt impressive enough to capture the interest of the most die-hard of die-hard PC users, and it’s clear that Apple’s gamble with making its...

Read more

The program itself appears to behave similarly to your standard adware. As in, if you’re infected with it, you’re subjected to seeing things like coupons, banners, pop-up ads, surveys, and other types of ads that promote shady websites and downloads. These types of malware also tend to collect your browsing data like IP addresses, sites you’ve visited, search queries, etc.

This is to be expected, and no, if you have an M1-powered computer, you shouldn’t fly into a panic just yet. To back it up a bit, the thing with the M1 processor is that the chip’s architecture is ARM-based whereas previously, Apple had relied on Intel x86 architecture. By making the switch, Apple promised super-fast performance and integrated security. And while we found the M1 chips delivered impressive results in our benchmark tests, it’s also clear that the chip is held back by limited software compatibility.

Most apps out there right now weren’t developed to run natively on the M1 and require Apple’s Rosetta 2, which automatically converts software written for Intel chips into something the M1 can understand. To get the best performance Apple promised, you’d want software to be optimised for the M1 chip. That’s why developers are working on creating native M1 versions of their software. Naturally, malware developers also want their malware to operate at peak capacity on M1 devices.

The good news is security researchers and vendors are also working to develop methods of detecting M1 malware. According to Wired, however, you should expect a bit of a lag in detection rates when trying to find new types of malware. Given that inevitable lag, it’s concerning that malware authors have been able to rapidly transition from Intel to Apple Silicon.

So far, the native instances of M1 malware that have been found aren’t significant threats. But! The M1 has only been around for a few months, and it’s likely that more types of malicious variants are on the way. Sure, eventually, security vendors will catch up and update detection tools to keep consumers safe. But in the meantime, if you’ve got an M1-powered laptop, it’s a good idea to double down on your security hygiene and think twice about what you click on.