The first instance of native malicious code for the new Apple Silicon M1 Macs was detected a month after the launch of devices equipped with the company’s new CPU.
In November, Apple introduced a series of Mac computers with the long-awaited new Apple Silicon M1 chips. The launch of the new hardware also caught the attention of ingenious cybercriminals, who developed malware that can specifically run on devices equipped with Apple’s new chipsets.
Apple’s new M1 processors use an ARM-based architecture, a departure from the previous generation of Intel x86 processors that were previously shipped with their computers. This has required the development of Mac applications to be either translated via Apple’s Rosetta 2 engine or re-encoded to work natively on the newer chips.
Meanwhile, threat actors have been busy in their own way. The Mac Security Researcher Patrick Wardle has revealed details about malicious code specifically targeting computers running Apple Silicon. Reviewing VirusTotal and using specific search modifiers, Wardle managed to identify a macOS program that was written in native M1 code and was identified as malicious. It turned out that the malicious application, dubbed GoSearch22, was a variant of the Pirrit adware family, a threat commonly found in Mac users.
Related Reading: Cryptocurrency Trading App for Mac Used to Distribute Malware
Malicious applications like GoSearch22 display coupons, banners, and advertisements that promote questionable web pages; however, it has also been observed to collect browsing data or other potentially sensitive information.
The new version appears to install as a malicious Safari extension and persists as a launch agent. It is worth noting that the malware variant was uploaded to VirusTotal in late December 2020, just a month after the launch of the new Mac computers.
“Pretty amazing, if we look at the details of the VirusTotal submission, it turns out that this sample was submitted (by a user) directly through one of Objective-See’s tools (probably KnockKnock)… After the tool flagged the code as malicious due to its persistence mechanism, ”Wardle said. This means that the malware has been detected “in the wild”, that is, in use as part of a campaign, and macOS users may have been infected.
“Today we confirm that malicious actors are in fact building multi-architecture applications so that their code runs native on M1 systems. The malicious application GoSearch22 may be the first example of code that is natively compatible with M1, ”he said.