brand-new seamy underbelly —

Apple M1-native malware has already begun to appear

Security researcher Patrick Wardle discovered M1-native malware targeting macOS.

A stylish emblem which reads
Enlarge / GoSearch22 isn't, technically speaking, any sort of "virus." But it's certainly not anything you'd want on your shiny-new M1 Mac.

Last year, Apple released Macbooks and Mac Minis powered by a new ARM CPU—the Apple M1. A few months later, malware authors are already targeting the new hardware directly. Wired interviewed Mac security researcher Patrick Wardle, who discovered an M1-native version of the long-running Mac-targeted Pirrit adware family.

Apple M1, malware, and you

ARM CPUs have a very different Instruction Set Architecture (ISA) than traditional x86 desktop and laptop CPUs do, which means that software designed for one ISA can't run on the other without help. M1 Macs can run x86 software with a translation layer called Rosetta, but native M1 apps of course run much faster—as we can see by comparing Rosetta-translated Google Chrome to the M1-native version.

When it comes to malware, Apple users have long benefited from the minority status of their platform. Ten years ago, macOS' operating system market share was only 6.5 percent, and few malware authors bothered to target it at all—but today, that market share is approaching 20 percent. That increase in popularity has brought malware vendors along with it; the macOS malware ecosystem is still tiny and relatively crude compared to the one plaguing Windows, but it's very real.

The incentive for malware authors to target M1 directly isn't enormous—most existing macOS malware will run on an M1-equipped Mac just fine, via Rosetta 2. Malware authors also don't generally care much about performance—your CPU cycles don't cost them anything, after all. But there are still some benefits to targeting the new hardware directly—the more efficient malware code is, the less likely the owners of the computers it infects will notice it and/or care enough to root it out.

Finding M1-native malware

Wardle used a researcher account at VirusTotal to look for instances of M1-native malware. The actual search he used was `type:macho tag:arm tag:64bits tag:multi-arch tag:signed positives:2+`—which translates to "signed Apple multi-architecture executables that include 64-bit ARM code and have been flagged by at least two anti-virus engines."

This search, unfortunately, mostly produces iOS-targeted malware with support for more than one ARM architecture—but it narrowed things down enough for Wardle to manually weed through the results. He eventually found a Safari extension called GoSearch22. The application bundle's Info.plist file confirmed that it was indeed a macOS (not iOS) application.

The app was signed with Apple developer ID hongsheng_yan in November 2020—but we don't know whether Apple notarized it, since Apple has since revoked its certificate. With that certificate revoked, this version of GoSearch22 won't run on macOS anymore—unless and until its authors manage to sign it with another developer key, at least.

We can also surmise that this malware app did infect real macOS users in the wild prior to that certificate revocation—otherwise, it's extremely unlikely it would have been user-submitted to VirusTotal in the first place.

What does GoSearch22 do?

The M1-native malware Wardle found triggered 24 separate malware detection engines. Seventeen of those 24 positives were "generic"—but the remaining seven matched it with signatures for the Pirrit adware family.

Pirrit is an extremely long-running malware family that began on Windows but was eventually ported to macOS. Its presence on macOS was first published by researcher Amit Serper in 2016, with a notable followup from Serper in 2017.

If you're interested in where all the bodies are buried—for the Pirrit code itself, and for the TargetingEdge company that proliferates it—I highly recommend Serper's very detailed and informative write-ups. But if you're just looking for the short version: Pirrit variants display unwanted ads, and they're downright nasty about it.

Once a user has installed whatever shiny Trojan the Pirrit variant in question came wrapped in—which might be a fake video player, PDF reader, or apparently benign Safari extension—the user's default search engine is changed to something nasty and unhelpful, their Web browser usage is tracked, and their visited webpages are infested with unwanted ads.

This is all bad enough on its own; but Pirrit also uses the full stable of malware tricks to stay installed, avoid detection, and make life generally difficult for anyone trying to "interfere" with it. Pirrit seeks out and removes applications and browser extensions that could interfere with it, hides from attempts to find it by staying out of the Applications directory, gains root access to the Macs it's installed on, and heavily obfuscates its code in the attempt to make it more difficult to both detect and analyze.

Channel Ars Technica