First Apple Silicon optimized malware discovered in the wild

The first Apple Silicon Macs have been out for just a few months and a good portion of popular apps have been updated with native support for the M1 MacBook Air, Pro, and Mac mini. Not far behind, what looks like the first malware that’s been optimized for Apple Silicon has been found in the wild.

The discovery was made by security researcher and founder of Objective-See, Patrick Wardle. In a highly detailed deconstruction, Patrick shared how he went about finding the new Apple Silicon specific malware and why this matters.

As I was working on rebuilding my tools to achieve native M1 compatibility, I pondered the possibility that malware writers were also spending their time in a similar manner. At the end of the day, malware is simply software (albeit malicious), so I figured it would make sense that (eventually) we’d see malware built to execute natively on Apple new M1 systems.

Before going off hunting for native M1 malware, we need have to answer the question, “How can we determine if a program was compiled natively for M1?” Well, in short, it will contain arm64 code! OK, and how do we ascertain this?

One simple way is via the macOS’s built-in file tool (or lipo -archs). Using this tool, we can examine a binary to see if it contains compiled arm64 code.

Patrick ended up using a free researcher account with VirusTotal to start his hunt. An important aspect to find if there was any malware truly optimized for Apple Silicon was to weed out universal apps that are actually iOS binaries.

After narrowing things down, Patrick found “GoSearch22” as an interesting find.

After passing a few more checks, Patrick was able to confirm this is malware optimized for M1 Macs.

Hooray, so we’ve succeeding in finding a macOS program containing native M1 (arm64) code …that is detected as malicious! This confirms malware/adware authors are indeed working to ensure their malicious creations are natively compatible with Apple’s latest hardware. 

It is also important to note that GoSearch22 was indeed signed with an Apple developer ID (hongsheng yan), on November 23rd, 2020:

Patrick notes that Apple has revoked the certificate at this point so it’s not known if Apple notarized the code. But even so…

What we do know is as this binary was detected in the wild (and submitted by a user via an Objective-See tool) …so whether it was notarized or not, macOS users were infected.

With further digging, Patrick was able to learn that the GoSearch22 Apple Silicon optimized malware is a variation on the “prevalent, yet rather insidious, ‘Pirrit’ adware.” And specifically this new instance looks like it aims to “persist a launch agent” and “install itself as a malicious Safari extension.”

Even more notably, GoSearch22 optimized for Apple Silicon first surfaced on December 27, just weeks after the first M1 Macs were made available. And Patrick notes a user actually submitted it to VirusTotal with one of Objective-See’s tools.

Why it’s significant

In conclusion, Patrick shares a few thoughts on why Apple Silicon optimized malware matters. First, it’s real-world proof of how fast malicious code is evolving in response to new hardware and software from Apple.

But beyond that is the more important realization that current tools may not be up to the task of defending against arm64 macOS-focused malware:

Secondly, and more worrisomely, (static) analysis tools or anti-virus engines may struggle with arm64 binaries.