First Apple Silicon M1 malware discovered in the wild
The first malware native to Apple Silicon M1 Macs has been discovered by independent security researcher Patrick Wardle.
Ex-NSA researcher Patrick Wardle has recently praised Apple for the security of its M1 processor, but even so has now discovered evidence of hackers recompiling malware for it.
Wardle discovered the existence of GoSearch22.app, an M1-native version of the longstanding Pirrit adware. This version appears to have been aimed at displaying ads and collecting data from the user's browser.
"Today we confirmed that malicious adversaries are indeed crafting multi-architecture applications, so that their code will natively run on M1 systems," says Wardle in a blog post. "The malicious GoSearch22 application may be the first example of such natively M1 compatible code."
"The creation of such applications is notable for two main reasons," he continues. "First (and unsurprisingly), this illustrates that malicious code continues to evolve in direct response to both hardware and software changes coming out of Cupertino."
"There are a myriad of [sic] benefits to natively distributing native arm64 binaries, so why would malware authors resist?" he continues. "Secondly, and more worrisomely, (static) analysis tools or anti-virus engines may struggle [to detect this]."
Wardle says that a number of current anti-virus systems which could spot the Intel versions of Pirrit, failed to identify the Apple Silicon M1 version.
Apple has now revoked the developer's certificate so that it cannot be run. Wardle says that this means there are certain issues regarding its distribution that can no longer be answered.
"What is not known is if Apple notarized the code," noted Wardle, meaning whether a developer submitted it to Apple or was working around the company's security. "We cannot answer this question, because Apple has revoked the certificate."
"What we do know is," he continues, "as this binary was detected in the wild... whether it was notarized or not, macOS users were infected."
Ex-NSA researcher Patrick Wardle has recently praised Apple for the security of its M1 processor, but even so has now discovered evidence of hackers recompiling malware for it.
Wardle discovered the existence of GoSearch22.app, an M1-native version of the longstanding Pirrit adware. This version appears to have been aimed at displaying ads and collecting data from the user's browser.
"Today we confirmed that malicious adversaries are indeed crafting multi-architecture applications, so that their code will natively run on M1 systems," says Wardle in a blog post. "The malicious GoSearch22 application may be the first example of such natively M1 compatible code."
"The creation of such applications is notable for two main reasons," he continues. "First (and unsurprisingly), this illustrates that malicious code continues to evolve in direct response to both hardware and software changes coming out of Cupertino."
"There are a myriad of [sic] benefits to natively distributing native arm64 binaries, so why would malware authors resist?" he continues. "Secondly, and more worrisomely, (static) analysis tools or anti-virus engines may struggle [to detect this]."
Wardle says that a number of current anti-virus systems which could spot the Intel versions of Pirrit, failed to identify the Apple Silicon M1 version.
Apple has now revoked the developer's certificate so that it cannot be run. Wardle says that this means there are certain issues regarding its distribution that can no longer be answered.
"What is not known is if Apple notarized the code," noted Wardle, meaning whether a developer submitted it to Apple or was working around the company's security. "We cannot answer this question, because Apple has revoked the certificate."
"What we do know is," he continues, "as this binary was detected in the wild... whether it was notarized or not, macOS users were infected."
Comments
and I found this:
I guess AI doesn't approve of certain styles even when those styles are technically correct.
Annoying, yes, but at least it proves Apple’s version of the ARM instruction set is up to snuff.
If your personal fingerprints have never been put into the national fingerprint database of criminals, then how would the government find you if they found your fingerprint somewhere? They have to have registered your fingerprint first. Same thing with computer viruses.
If a virus tries to do something that's prohibited, perhaps like accessing files that it shouldn't, then you have a chance to preempt it. But many viruses don't make it easy or obvious to detect them.
But that doesn't mean the idea of notarization failed, that being the ability to revoke the certificate of malicious software.
So anything that runs counter to the narrative that Apple has spent years building and also gets circulated without question by most of its fans in the media (90% of what you read on media sites and blogs are written on MacBooks and iPad Pros) instead of being challenged is going to get noticed. Yes, we know that this is simply a generic ARM bug that hit the M1 Mac because it is an ARM CPU, and that the exploit is at the application level, not the hardware level (i.e. Meltdown/Spectre) or the OS level. But you can't expect the same people who didn't know - or care - that M1 versus Intel MacBook benchmarking was misleading because A. the Intel CPUs were as much as 2 years old and B. Apple chooses Intel CPUs based on "thin and light" design preferences rather than the performance ones that go into Wintel gaming laptops and ultrabooks to be willing or able to do this.
But no, macOS is not dependent on "security by obscurity". It's security by being a more secure POSIX OS. The older Mac System OSes had far more viruses in the wild than OS X did, despite being much less popular (fewer users) than OS X. Security by obscurity is a myth and macOS surely doesn't subscribe to it.
- macOS uses BSD OS whose source code is publicly available? (the macOS GUI doesn't have published source code)
- source code which is published is not an example of "security by obscurity"?
- Windows has not published its source code?
I'm terribly confused why you would think an OS whose source code is published could be called "security by obscurity."