Apple’s M1 SoC was only announced in November, but it’s already become a target for attackers. Wired (via security researcher Patrick Wardle) has reported that malware authors have been setting their sights on the ARM-based chip.
Today we confirmed that malicious adversaries are indeed crafting multi-architecture applications so that their code will natively run on M1 systems. The malicious GoSearch22 application may be the first example of such natively M1 compatible code.
GoSearch22 is adware that installs as an extension for the Safari web browser. It has been tailored to the ARM64 processor with techniques that have also been applied to other variants within the extensive Pirrit family, which gather a substantial amount of web browsing information and can also lead to the installation of other malware.
…this illustrates that malicious code continues to evolve in direct response to both hardware and software changes coming out of Cupertino. There are a myriad of benefits to natively distributing native arm 64 binaries, so why would malware authors resist?
Wardle’s research has shown that current antivirus has not been able to adapt as quickly because the malware was originally developed for x86 systems. Antivirus solutions are still looking for the previous versions.
Unfortunately detections of the arm64 version dropped roughly 15% (when compared to the standalone x86_64 version).
…several industry-leading AV engines (who readily detected the x86_64 version) failed to flag the malicious arm64 binary.
The malicious code is also difficult to detect because it features some anti-analysis features, one of which allows it to know if it is running in a virtual machine. Apple has not commented on Wardle’s findings yet, but the company has revoked a certificate that prevents GoSearch22 from running on MacOS.