First Apple Silicon M1 malware discovered in the wild

The first malware native to Apple Silicon M1 Macs has been discovered by independent security researcher Patrick Wardle.

Ex-NSA researcher Patrick Wardle has recently praised Apple for the security of its M1 processor, but even so has now discovered evidence of hackers recompiling malware for it.

Wardle discovered the existence of GoSearch22.app, an M1-native version of the longstanding Pirrit adware. This version appears to have been aimed at displaying ads and collecting data from the user's browser.

"Today we confirmed that malicious adversaries are indeed crafting multi-architecture applications, so that their code will natively run on M1 systems," says Wardle in a blog post. "The malicious GoSearch22 application may be the first example of such natively M1 compatible code."

"The creation of such applications is notable for two main reasons," he continues. "First (and unsurprisingly), this illustrates that malicious code continues to evolve in direct response to both hardware and software changes coming out of Cupertino."

"There are a myriad of [sic] benefits to natively distributing native arm64 binaries, so why would malware authors resist?" he continues. "Secondly, and more worrisomely, (static) analysis tools or anti-virus engines may struggle [to detect this]."

Wardle says that a number of current anti-virus systems which could spot the Intel versions of Pirrit, failed to identify the Apple Silicon M1 version.

Apple has now revoked the developer's certificate so that it cannot be run. Wardle says that this means there are certain issues regarding its distribution that can no longer be answered.

"What is not known is if Apple notarized the code," noted Wardle, meaning whether a developer submitted it to Apple or was working around the company's security. "We cannot answer this question, because Apple has revoked the certificate."

"What we do know is," he continues, "as this binary was detected in the wild... whether it was notarized or not, macOS users were infected."

26 Comments

longpath 401 comments · 20 Years

About 3 years ago

@AppleInsider

A follow up that states which antivirus detected this native version and which failed to do so would be helpful.

22july2013 3736 comments · 11 Years

About 3 years ago

I had to Google why AI might say "[sic]" for this:

"There are a myriad of [sic]

and I found this:

Another hot debate is whether it is correct to say, “Disneyland has myriad delights" or “Disneyland has a myriad of delights." You commonly hear "a myriad of" and just as commonly hear people railing that it should be simply "myriad" because the word is an adjective and essentially equivalent to a number. The argument goes like this: You wouldn't say, "There are a ten thousand of delights," so you shouldn't say, "There are a myriad of delights.”
Believe it or not, most language experts say that either way is fine. “Myriad” was actually used as a noun in English long before it was used as an adjective, and Merriam-Webster says the criticism the word gets as a noun is “recent.” Further, Garner’s Modern English Usage says “a myriad of” is fine even though it’s less efficient than “myriad.” Language is about more than efficiency, after all!
Today, “myriad” is used as both a noun and an adjective, which means it can be used with an “a” before it (as a noun, “a myriad” just as you would say “a mouse”) or without an “a” before it (as an adjective, “myriad delights” just as you would say “delicious treats”).
Nevertheless, if you choose to say or write "a myriad of," I have to warn you that you'll encounter occasional but vehement resistance. And in fact, the AP Stylebook says not to use it. So if you’re following AP style, it doesn’t matter what Merriam-Webster or Garner says is fine. (The Chicago Manual of Style doesn’t comment on “a myriad of” directly, but in a Q&A refers people to Merriam-Webster.)

I guess AI doesn't approve of certain styles even when those styles are technically correct.

MplsP 4047 comments · 8 Years

About 3 years ago

So essentially, Apple comes out with a new processor. A hacker re-compiles malware code to run natively and antivirus software doesn't detect it because it's essentially new code with a new signature and they haven't caught up yet. Since the M1 is a processor running a computer with MacOS, it's quite capable of running malware code and there's no evidence this code is any worse, more virulent or better and circumventing protections than any other malware, so is there really that much new here?

jcc 336 comments · 16 Years

About 3 years ago

So, as far as I know, there is no malware that would run or infect Macs unless you install it by entering your login password. So why are people so worked up about malware on Macs? Just don't ever enter your password to install it, problem solved!

22july2013 3736 comments · 11 Years

About 3 years ago

jcc said:

So, as far as I know, there is no malware that would run or infect Macs unless you install it by entering your login password. So why are people so worked up about malware on Macs? Just don't ever enter your password to install it, problem solved!

I own a mouse from a major mouse manufacturer and every month I get a notification that a new mouse driver has appeared and I should update it. To do that I have to enter my password. Should I trust it? It's not easy to decide. I can't see why Apple would design an OS that requires admin passwords to install something that should be utterly harmless to my computer, like a mouse driver.