Apple’s M1 is already the target of Apple Silicon malware

Chris Davies - Feb 17, 2021, 12:36pm CST
Apple’s M1 is already the target of Apple Silicon malware

Apple’s M1 processor can consider itself a success in the tech world, given that it’s already graduated to having malware target the new Apple Silicon. Found in the latest MacBook Air, MacBook Pro 13, and Mac mini, the chipset is a close relative of the SoC found in the iPad Pro, but it’s getting a taste of some desktop nefarious code.

Malware is, of course, a fact of digital life these days. We’re a long way from the time where using a Mac was enough to render you safe from viruses and similar, with the growth in macOS proving to be just as appealing target for those with malicious software in mind.

What was unclear was just how long the M1 – and Apple Silicon in general – would stay safe from native malware. That is to say, software that’s compiled specifically for its arm64 architecture. As security researcher Patrick Wardle has discovered, that’s is already in existence.

The offending code is a version of GoSearch22, a Safari adware extension. Although originally designed to work on the x86 architecture of Intel and AMD processors, Wardle has documented an M1-specific version in the wild.

For clarity, though GoSearch22 was signed with an Apple developer ID in November 2020, the certificate was since revoked by Apple. That means it’s unclear whether Apple notarized it or not. The upshot, though, is that the malware won’t run on macOS any more, until it’s resigned with a new certificate.

According to Wired, this isn’t the only example of M1-specific malicious software that’s been identified so far. Security firm Red Canary says it’s also investigating an example of malware designed to affect Apple Silicon natively, and that it’s different from GoSearch22.

Although the scale of M1-specific malware is much lower than that of code written for x86 chips, the concern is that Apple’s aggressive transition to its homegrown silicon designs could set a tough pace for anti-malware and anti-virus software to match. Those apps rely on signatures of such code, spotting the signs of potentially dangerous software before it has a chance to infect and change a user’s system. That’s why they rely on regular updates, as new signatures are added to the watch-list.

The concern in the shorter term, however, is that those antivirus engines need to be able to keep up with arm64 malware. In Wardle’s testing with VirusTotal, an Alphabet-owned company that measures scanning performance, detections of the arm64 version of GoSearch22 were roughly 15-percent lower than of the x86 version. That’s despite them having “the same logically equivalent malicious code” the researcher points out.

Antivirus companies will undoubtedly be working hard to deal with what’s likely to only be a growing amount of malicious software targeting Apple Silicon as more systems using the chipsets hit the market. Still, the general advice for safer browsing and internet use – not clicking attachments in messages you don’t recognize, not installing random extensions, and maintaining a healthy degree of skepticism about links people ask you to visit – remains key, since the easiest way to avoid the impact of malware is to prevent it from getting onto your system, Mac or PC, in the first place.


Must Read Bits & Bytes