In less than four months since Apple Silicon M1 Macs were announced, the first malware for the new chips has already been found in the wild. Thanks to a detailed overview by Objective-See, we have information on this new malware that was specifically created and optimized for Apple Silicon.
Patrick Wardle, the Objective-See researcher, found “GoSearch22” through his search for malware that was optimized for Apple Silicon. He found it via VirusTotal, a website used to analyze and share malware with the security community for research.
Apple Silicon malware is already roaming in the wild
“GoSearch22” was actually submitted to VirusTotal on December 27, which shows how quickly malware was written for Apple’s new chips. Patrick was able to confirm using various checks that the code used in the malware was written specifically for M1:
Hooray, so we’ve succeeding in finding a macOS program containing native M1 (arm64) code …that is detected as malicious! This confirms malware/adware authors are indeed working to ensure their malicious creations are natively compatible with Apple’s latest hardware. 🥲
It is also important to note that GoSearch22 was indeed signed with an Apple developer ID (hongsheng yan), on November 23rd, 2020
It is important to note that Apple has since revoked the certificate for this Apple Developer ID, which is why it is not possible to find out if the code was notarized by Apple. Because the certificate has been revoked, the code will no longer be executable in macOS.
Further investigation in the original blog post shows that “GoSearch22” is a variant of “Pirrit” adware. This adware configures itself to launch when users login to macOS, and also adds itself as a Safari extension.
Patrick’s Objective-See post ends on the note that this malware illustrates how quickly malicious code is evolving with new hardware and software being released by Apple. It also shows that analysis tools or anti-virus software currently struggle with arm64 binaries and will need to evolve to keep up with the detection of new malware.