Many developers are updating their Mac applications to run natively on M1 Macs, and malware developers are no exception. Mac security researcher Patrick Wardle has published a report, shared by Wired, that discusses how malware is being adapted and recompiled to run natively on Apple’s current-generation M1 Macs.
Wardle has discovered the first known native M1 malware, which is an update to a Safari adware extension, originally written for Intel-based Macs. The malicious “GoSearch22” extension is a well-known member of the “Pirrit” Mac adware family and was first spotted at the end of December.
GoSearch22 adware presents itself as a legitimate Safari browser but collects user data while serving up ads, such as banners and pop-ups, some of which link to malicious websites. While the adware had been signed with an Apple Developer ID back in November, it has since been revoked.
The malicious Safari extension does have some anti-analysis features, including logic to try to avoid debugging tools. But Wardle found that while VirusTotal’s suite of antivirus scanners easily spot the x86-based version of the adware as malicious, there was a 15 percent drop in detection of the M1 version.
“Certain defensive tools like antivirus engines struggle to process this ‘new’ binary file format,” Wardle says. “They can easily detect the Intel-x86 version, but failed to detect the ARM-M1 version, even though the code is logically identical.”
Researchers from security company Red Canary told Wired that other types of native M1 malware have also been found and are being investigated.
Read Wardle’s full report for more information about the first M1=based malware.