First Apple Silicon M1 malware discovered in the wild

Posted:
in General Discussion edited February 17
The first malware native to Apple Silicon M1 Macs has been discovered by independent security researcher Patrick Wardle.

Apple M1


Ex-NSA researcher Patrick Wardle has recently praised Apple for the security of its M1 processor, but even so has now discovered evidence of hackers recompiling malware for it.

Wardle discovered the existence of GoSearch22.app, an M1-native version of the longstanding Pirrit adware. This version appears to have been aimed at displaying ads and collecting data from the user's browser.

"Today we confirmed that malicious adversaries are indeed crafting multi-architecture applications, so that their code will natively run on M1 systems," says Wardle in a blog post. "The malicious GoSearch22 application may be the first example of such natively M1 compatible code."

"The creation of such applications is notable for two main reasons," he continues. "First (and unsurprisingly), this illustrates that malicious code continues to evolve in direct response to both hardware and software changes coming out of Cupertino."

"There are a myriad of [sic] benefits to natively distributing native arm64 binaries, so why would malware authors resist?" he continues. "Secondly, and more worrisomely, (static) analysis tools or anti-virus engines may struggle [to detect this]."

Wardle says that a number of current anti-virus systems which could spot the Intel versions of Pirrit, failed to identify the Apple Silicon M1 version.

Apple has now revoked the developer's certificate so that it cannot be run. Wardle says that this means there are certain issues regarding its distribution that can no longer be answered.

"What is not known is if Apple notarized the code," noted Wardle, meaning whether a developer submitted it to Apple or was working around the company's security. "We cannot answer this question, because Apple has revoked the certificate."

"What we do know is," he continues, "as this binary was detected in the wild... whether it was notarized or not, macOS users were infected."
«1

Comments

  • Reply 1 of 26
    @AppleInsider ;A follow up that states which antivirus detected this native version and which failed to do so would be helpful.
    olswatto_cobra
  • Reply 2 of 26
    I had to Google why AI might say "[sic]" for this:
    "There are a myriad of [sic]
    and I found this:

    Another hot debate is whether it is correct to say, “Disneyland has myriad delights" or “Disneyland has a myriad of delights." You commonly hear "a myriad of" and just as commonly hear people railing that it should be simply "myriad" because the word is an adjective and essentially equivalent to a number. The argument goes like this: You wouldn't say, "There are a ten thousand of delights," so you shouldn't say, "There are a myriad of delights.”

    Believe it or not, most language experts say that either way is fine. “Myriad” was actually used as a noun in English long before it was used as an adjective, and Merriam-Webster says the criticism the word gets as a noun is “recent.” Further, Garner’s Modern English Usage says “a myriad of” is fine even though it’s less efficient than “myriad.” Language is about more than efficiency, after all!  

    Today, “myriad” is used as both a noun and an adjective, which means it can be used with an “a” before it (as a noun, “a myriad” just as you would say “a mouse”) or without an “a” before it (as an adjective, “myriad delights” just as you would say “delicious treats”).

    Nevertheless, if you choose to say or write "a myriad of," I have to warn you that you'll encounter occasional but vehement resistance. And in fact, the AP Stylebook says not to use it. So if you’re following AP style, it doesn’t matter what Merriam-Webster or Garner says is fine. (The Chicago Manual of Style doesn’t comment on “a myriad of” directly, but in a Q&A refers people to Merriam-Webster.)

    I guess AI doesn't approve of certain styles even when those styles are technically correct.

    dysamoriamike1JanNLapplguyrandominternetperson
  • Reply 3 of 26
    MplsPMplsP Posts: 3,161member
    So essentially, Apple comes out with a new processor. A hacker re-compiles malware code to run natively and antivirus software doesn't detect it because it's essentially new code with a new signature and they haven't caught up yet. Since the M1 is a processor running a computer with MacOS, it's quite capable of running malware code and there's no evidence this code is any worse, more virulent or better and circumventing protections than any other malware, so is there really that much new here?
    dk49rob53dysamorialongpathrandominternetpersonolsnarwhalwatto_cobra
  • Reply 4 of 26
    jccjcc Posts: 297member
    So, as far as I know, there is no malware that would run or infect Macs unless you install it by entering your login password. So why are people so worked up about malware on Macs? Just don't ever enter your password to install it, problem solved!
    longpathlkruppwatto_cobra
  • Reply 5 of 26
    jcc said:
    So, as far as I know, there is no malware that would run or infect Macs unless you install it by entering your login password. So why are people so worked up about malware on Macs? Just don't ever enter your password to install it, problem solved!
    I own a mouse from a major mouse manufacturer and every month I get a notification that a new mouse driver has appeared and I should update it. To do that I have to enter my password. Should I trust it? It's not easy to decide. I can't see why Apple would design an OS that requires admin passwords to install something that should be utterly harmless to my computer, like a mouse driver.
    anantksundaramwatto_cobra
  • Reply 6 of 26
    Rayz2016Rayz2016 Posts: 6,843member
    MplsP said:
    So essentially, Apple comes out with a new processor. A hacker re-compiles malware code to run natively and antivirus software doesn't detect it because it's essentially new code with a new signature and they haven't caught up yet. Since the M1 is a processor running a computer with MacOS, it's quite capable of running malware code and there's no evidence this code is any worse, more virulent or better and circumventing protections than any other malware, so is there really that much new here?
    Exactly.

    Annoying, yes, but at least it proves Apple’s version of the ARM instruction set is up to snuff. 
    olswatto_cobra
  • Reply 7 of 26
    dk49dk49 Posts: 105member
    I am not a processor expert, but this post seems a bit misleading. The security flaw is not on a hardware level like in the case of Spectre (which affected x86 processors). This seems more like an OS level bug. It's just that the malware has been recompiled to run nativity on the M1, just like so many other apps. 
    olswatto_cobra
  • Reply 8 of 26
    So anti virus software has to wait for an intel virus to be recompiled for the M1 before it can be detected.  Is there no way to preempt it.
    watto_cobra
  • Reply 9 of 26
    muaddib said:
    So anti virus software has to wait for an intel virus to be recompiled for the M1 before it can be detected.  Is there no way to preempt it.
    Anti-virus software works (mostly) by looking for virus signatures, which are snippets of code in the virus. if a virus has been recompiled for M1 then the signature is new and different.

    If your personal fingerprints have never been put into the national fingerprint database of criminals, then how would the government find you if they found your fingerprint somewhere? They have to have registered your fingerprint first. Same thing with computer viruses.

    If a virus tries to do something that's prohibited, perhaps like accessing files that it shouldn't, then you have a chance to preempt it. But many viruses don't make it easy or obvious to detect them.
    watto_cobra
  • Reply 10 of 26
    rob53rob53 Posts: 2,564member
    jcc said:
    So, as far as I know, there is no malware that would run or infect Macs unless you install it by entering your login password. So why are people so worked up about malware on Macs? Just don't ever enter your password to install it, problem solved!
    I own a mouse from a major mouse manufacturer and every month I get a notification that a new mouse driver has appeared and I should update it. To do that I have to enter my password. Should I trust it? It's not easy to decide. I can't see why Apple would design an OS that requires admin passwords to install something that should be utterly harmless to my computer, like a mouse driver.
    You know the answer to your question. It’s because drivers aren’t generally loaded in user space. A mouse driver, just like printer drivers require an admin password so other users can use the mouse. 

    What people also don’t comment on is the proper restricted use of an admin account. Even Apple doesn’t force installations to set up admin account then create non-admin accounts for every user. This stops most malware from being installed. 
    longpathwatto_cobra
  • Reply 11 of 26
    Your “[sic]” deserves a [sic].  Remove it. 
    marklarkapplguyrandominternetpersonwatto_cobra
  • Reply 12 of 26
    Of course the malware was notarized, it's an automated process.

    But that doesn't mean the idea of notarization failed, that being the ability to revoke the certificate of malicious software.
    watto_cobra
  • Reply 13 of 26
    jcc said:
    So, as far as I know, there is no malware that would run or infect Macs unless you install it by entering your login password. So why are people so worked up about malware on Macs? Just don't ever enter your password to install it, problem solved!
    I own a mouse from a major mouse manufacturer and every month I get a notification that a new mouse driver has appeared and I should update it. To do that I have to enter my password. Should I trust it? It's not easy to decide. I can't see why Apple would design an OS that requires admin passwords to install something that should be utterly harmless to my computer, like a mouse driver.
    No mouse requires a driver.  If the Mfg is Logitech - their keyboard/mouse software have always been crappy Mac apps.
    watto_cobra
  • Reply 14 of 26
    dysamoriadysamoria Posts: 3,398member
    I had to Google why AI might say "[sic]" for this:
    "There are a myriad of [sic]
    and I found this:

    Another hot debate is whether it is correct to say, “Disneyland has myriad delights" or “Disneyland has a myriad of delights." You commonly hear "a myriad of" and just as commonly hear people railing that it should be simply "myriad" because the word is an adjective and essentially equivalent to a number. The argument goes like this: You wouldn't say, "There are a ten thousand of delights," so you shouldn't say, "There are a myriad of delights.”

    Believe it or not, most language experts say that either way is fine. “Myriad” was actually used as a noun in English long before it was used as an adjective, and Merriam-Webster says the criticism the word gets as a noun is “recent.” Further, Garner’s Modern English Usage says “a myriad of” is fine even though it’s less efficient than “myriad.” Language is about more than efficiency, after all!  

    Today, “myriad” is used as both a noun and an adjective, which means it can be used with an “a” before it (as a noun, “a myriad” just as you would say “a mouse”) or without an “a” before it (as an adjective, “myriad delights” just as you would say “delicious treats”).

    Nevertheless, if you choose to say or write "a myriad of," I have to warn you that you'll encounter occasional but vehement resistance. And in fact, the AP Stylebook says not to use it. So if you’re following AP style, it doesn’t matter what Merriam-Webster or Garner says is fine. (The Chicago Manual of Style doesn’t comment on “a myriad of” directly, but in a Q&A refers people to Merriam-Webster.)

    I guess AI doesn't approve of certain styles even when those styles are technically correct.

    I’ve given up trying to encourage Apple Insider to proofread and use generally-approved English grammar after being smacked down for it. It’s literally in the terms of use here that we don’t critique their typos and whatnot.
    mike1longpathelijahgrandominternetpersonblastdoor
  • Reply 15 of 26
    dysamoriadysamoria Posts: 3,398member
    MplsP said:
    So essentially, Apple comes out with a new processor. A hacker re-compiles malware code to run natively and antivirus software doesn't detect it because it's essentially new code with a new signature and they haven't caught up yet. Since the M1 is a processor running a computer with MacOS, it's quite capable of running malware code and there's no evidence this code is any worse, more virulent or better and circumventing protections than any other malware, so is there really that much new here?
    I originally came here to say this...
  • Reply 16 of 26
    Yeah... you don't want a Rosetta pop-up for your malware: embarrassing! 😳
    watto_cobra
  • Reply 17 of 26
    MplsP said:
    So essentially, Apple comes out with a new processor. A hacker re-compiles malware code to run natively and antivirus software doesn't detect it because it's essentially new code with a new signature and they haven't caught up yet. Since the M1 is a processor running a computer with MacOS, it's quite capable of running malware code and there's no evidence this code is any worse, more virulent or better and circumventing protections than any other malware, so is there really that much new here?
    It is narrative stuff. Apple - especially Tim Cook era Apple - has made "privacy and security" the core identity of the brand over against Windows and Android. A narrative that was always problematic/lacking context. For example on macOS it was primarily a case of "security via obscurity." The Android stuff was mostly fearmongering based on bad comparisons to Windows 98/ME/XP where macOS = iOS and Android = Windows XP (when in reality the Windows and DOS kernels were developed prior to cybersecurity becoming a thing but Android was A. developed on a far more secure Linux kernel and B. have sandboxed apps which Microsoft didn't achieve until Windows 8 in 2012, and even then only the apps installed via the Windows Store that practically nobody uses are sandboxed). 

    So anything that runs counter to the narrative that Apple has spent years building and also gets circulated without question by most of its fans in the media (90% of what you read on media sites and blogs are written on MacBooks and iPad Pros) instead of being challenged is going to get noticed. Yes, we know that this is simply a generic ARM bug that hit the M1 Mac because it is an ARM CPU, and that the exploit is at the application level, not the hardware level (i.e. Meltdown/Spectre) or the OS level. But you can't expect the same people who didn't know - or care - that M1 versus Intel MacBook benchmarking was misleading because A. the Intel CPUs were as much as 2 years old and B. Apple chooses Intel CPUs based on "thin and light" design preferences rather than the performance ones that go into Wintel gaming laptops and ultrabooks to be willing or able to do this.
  • Reply 18 of 26
    jcc said:
    So, as far as I know, there is no malware that would run or infect Macs unless you install it by entering your login password. So why are people so worked up about malware on Macs? Just don't ever enter your password to install it, problem solved!
    I own a mouse from a major mouse manufacturer and every month I get a notification that a new mouse driver has appeared and I should update it. To do that I have to enter my password. Should I trust it? It's not easy to decide. I can't see why Apple would design an OS that requires admin passwords to install something that should be utterly harmless to my computer, like a mouse driver.
    It's based on trust. You can't install pointer utilities (it's likely more than just a driver) w/o an admin password because the system cannot trust that it's harmless. If Apple allowed drivers/utilities to be installed w/o admin permission, guess what attackers would target?
    edited February 17 watto_cobra
  • Reply 19 of 26
    cloudguy said:
    MplsP said:
    So essentially, Apple comes out with a new processor. A hacker re-compiles malware code to run natively and antivirus software doesn't detect it because it's essentially new code with a new signature and they haven't caught up yet. Since the M1 is a processor running a computer with MacOS, it's quite capable of running malware code and there's no evidence this code is any worse, more virulent or better and circumventing protections than any other malware, so is there really that much new here?
    It is narrative stuff. Apple - especially Tim Cook era Apple - has made "privacy and security" the core identity of the brand over against Windows and Android. A narrative that was always problematic/lacking context. For example on macOS it was primarily a case of "security via obscurity." The Android stuff was mostly fearmongering based on bad comparisons to Windows 98/ME/XP where macOS = iOS and Android = Windows XP (when in reality the Windows and DOS kernels were developed prior to cybersecurity becoming a thing but Android was A. developed on a far more secure Linux kernel and B. have sandboxed apps which Microsoft didn't achieve until Windows 8 in 2012, and even then only the apps installed via the Windows Store that practically nobody uses are sandboxed). 
    Have they said it's the core identity of the brand? I know they have said privacy is a right, but I don't know that they've said it's the #1 core identity of Apple products. 

    But no, macOS is not dependent on "security by obscurity". It's security by being a more secure POSIX OS. The older Mac System OSes had far more viruses in the wild than OS X did, despite being much less popular (fewer users) than OS X. Security by obscurity is a myth and macOS surely doesn't subscribe to it.
    longpathwatto_cobra
  • Reply 20 of 26
    cloudguy said:
    MplsP said:
    so is there really that much new here?
    It is narrative stuff. Apple - especially Tim Cook era Apple - has made "privacy and security" the core identity of the brand over against Windows and Android. A narrative that was always problematic/lacking context. For example on macOS it was primarily a case of "security via obscurity." The Android stuff was 
    I'm confused. Are you aware that:
    • macOS uses BSD OS whose source code is publicly available? (the macOS GUI doesn't have published source code)
    • source code which is published is not an example of "security by obscurity"?
    • Windows has not published its source code?
    I'm terribly confused why you would think an OS whose source code is published could be called "security by obscurity."
    randominternetpersonwatto_cobra
Sign In or Register to comment.