An independent security researcher found evidence of the existence of malware designed to infiltrate Apple Silicon M1 Macs. He revealed his discovery in a blog post where the researcher also expressed his belief that this might be the first malicious software with a natively M1 compatible code.
Patrick Wardle, a former NSA researcher and now security investigator for software company Jamf, revealed he stumbled upon the malware while taking an in-depth look at Apple's new M1 system. The security researcher recently praised the Cupertino tech giant for the ample protection it included with its M1 processor, MacRumors revealed. Today, he published a blog revealing hackers are recompiling malware to infiltrate the system.
In his blog post, Wardle said he found evidence of the existence of GoSearch22.app, a variant of Pirrit adware. He revealed that the code of GoSearch22.app is M1-compatible, adding that the new version appears designed to display ads and collect data from the browser of the user. "Today we confirmed that malicious adversaries continue to craft multi-architecture applications so that their code will natively run on M1 systems. The malicious GoSearch22 application may be the first example of such natively M1 compatible code," Wardle said in a blog post.
Wardle said that his discovery of such applications proves that malicious code continues to evolve amid the development of new software and hardware in Cupertino. The security researcher also cautioned everyone that most analysis tools and anti-virus applications might encounter difficulty in detecting this malicious application. He revealed that he tried several current anti-virus applications known to detect the Intel version of Pirrit but all failed to spot its Apple Silicon M1 version.
According to Wardle, the malicious app presents itself as a genuine Safari browser extension, but what it actually does is to collect user data and at the same time, show a huge number of ads like popups and banners, including several that link users to malicious websites that contain more malware, ArsTechnica reported. The security researcher said the inability of most antivirus software to detect the M1 variant of the code is understandable as the malware is new.
Apple reportedly has now revoked the certificate of the developer so that the code cannot run, however, Wardle says he does not know if Apple already notarized the code. If it did, then it means the developer previously submitted the code to the Cupertino tech giant or perhaps found a way to skirt the security instituted by the company. The security researcher said there are many issues surrounding the distribution of the app, which he can no longer answer as Apple already revoked the certificate.
Wardle said that what they do know was that, "as this binary was detected in the wild... whether it was notarized or not, macOS users were infected."