First Apple Silicon M1 malware discovered in the wild

Ex-NSA researcher Patrick Wardle has recently praised Apple for the security of its M1 processor, but even so has now discovered evidence of hackers recompiling malware for it.

Wardle discovered the existence of GoSearch22.app, an M1-native version of the longstanding Pirrit adware. This version appears to have been aimed at displaying ads and collecting data from the user's browser.

"Today we confirmed that malicious adversaries are indeed crafting multi-architecture applications, so that their code will natively run on M1 systems," says Wardle in a blog post. "The malicious GoSearch22 application may be the first example of such natively M1 compatible code."

"The creation of such applications is notable for two main reasons," he continues. "First (and unsurprisingly), this illustrates that malicious code continues to evolve in direct response to both hardware and software changes coming out of Cupertino."

"There are a myriad of [sic] benefits to natively distributing native arm64 binaries, so why would malware authors resist?" he continues. "Secondly, and more worrisomely, (static) analysis tools or anti-virus engines may struggle [to detect this]."

Wardle says that a number of current anti-virus systems which could spot the Intel versions of Pirrit, failed to identify the Apple Silicon M1 version.

Apple has now revoked the developer's certificate so that it cannot be run. Wardle says that this means there are certain issues regarding its distribution that can no longer be answered.

"What is not known is if Apple notarized the code," noted Wardle, meaning whether a developer submitted it to Apple or was working around the company's security. "We cannot answer this question, because Apple has revoked the certificate."

"What we do know is," he continues, "as this binary was detected in the wild... whether it was notarized or not, macOS users were infected."