Ex-NSA researcher Patrick Wardle has discovered malware that is equipped with anti-analysis capabilities and designed to specifically target Apple’s new chip.
Cybersecurity researcher and ex-NSA official Patrick Wardle discovered a piece of Mac malware specifically created to target devices that have Apple’s new M1 chip installed.
Wardle has developed many open source security tools for Apple so far and is quite well-versed with Apple’s products. Some of his previous malware discoveries against Apple devices are available here: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11.
As for his latest research; Wardle started looking for malware that runs natively on M1-based systems while redesigning his tools to make them M1 compatible.
What is M1 SoC?
The M1 system-on-chip was introduced by Apple back in Nov 2020. It not only ensures better performance but offers increased security as well.
According to California-based tech firm Cupertino, the chip is equipped with security protections deeply embedded into its code execution infrastructure. It uses the arm64 CPU infrastructure, and the arm64 code also powers all the apps that are M1 native.
Adware Variant Designed for M1 Systems
In his blog post, Wardle noted that while searching on VirusTotal, he discovered the GoSearch22 app that turned out to be a Pirrit adware variant signed with an Apple developer ID. Apple later revoked its certificate. This extension was designed for Intel x86 processors.
Wardle submitted the sample in Dec 2020 stated that it could bombard the screen with illicit ads and collect user data. This variant was specially developed for M1 systems and could install itself as a Safari extension.
Additionally, it was equipped with many anti-analysis capabilities. Hence, Wardle believes that despite being beneficial for the Apple ecosystem, on the whole, arm64 has allowed hackers to compile codes to gain natively binary compatibility with Apple’s products.
“Apple’s new M1 systems offer a myriad of benefits, and natively compiled arm64 code runs blazingly fast. Today, we highlighted the fact that malware authors have now joined the ranks of developers …(re)compiling their code to arm64 to gain natively binary compatibility with Apple’s latest hardware,” Wardle wrote.