M1 Malware - New Macs have been hit by native malware

In the "Objective-See" blog I found a message that could be of interest to everyone who uses an M1 Mac with the new Apple Silicon instead of an Intel processor. Because the first native malware now appears to be available for the M1 chip. Accordingly, the title of the blog post with a pun is "Arm'd & Dangerous - malicious code, now native on apple silicon". I have compiled details on the topic for you in German below.

Patrick Wardle from the Objective-See blog was actively looking for M1 malware and found what he was looking for. You can read how he found GoSearch22 in this article.

Patrick Wardle from the Objective-See blog was actively looking for M1 malware and found what he was looking for. You can read how he found GoSearch22 in this article.

Background to M1 malware, the malware for new Macs

New Apple computers do not run with an Intel chip, but with Apple's own SoC (System on a Chip). This combination of processor (CPU), graphics processor (GPU), neural engine, secure enclave and the like is currently in the first generation known as the M1 chip. It supports a so-called arm64 (AArch64) Instruction Set Architecture (ISA). And this is exactly what the new malware is based on, which means that it was explicitly programmed as arm64 binary for macOS - and thus probably represents the first official malware for the new Apple computers.

In particular, what has already been mentioned above Blog Post von Objective-See mentions the malware or adware "GoSearch22", which was smuggled into new M1 computers from Apple via the Mac App Store. The corresponding certificate that Apple's store apps receive has already been withdrawn and the infected app has been removed from the range. However, the research method used to find GoSearch22 (see below) shows that some users or their computers have already been infected with it. But that's not all: The code was created as a multi-platform solution, so it can also run on Intel Macs.

How Patrick Wardle found the M1 malware

The blog post at Objective-See comes from Patrick Wardle, who was actively looking for malware that was specially created for the MacBook Pro, MacBook Air and Mac Mini from November 2020. To do this, he used a tool in which malware that is already known and detected by antivirus programs is cataloged. In addition to the search filter for at least two previous messages, he specifically looked for 64-bit code with an ARM structure that uses the Mach-O type. Wardle also looked for certified software (tag: signed) to track down store apps.

There were a total of 255 hits, but only because iOS and iPadOS apps naturally also appear in the search results with the search filters mentioned. Because Apple's own SoC in mobile devices are also ARM chips that are based on a 64-bit architecture. So after all mobile apps had been sorted out and it was ensured which hits were intended for the Apple Mac, only the GoSearch22 malware remained. If you are interested in the whole approach and you are not averse to the English language, I recommend you to read the entire post from 14.02.2021/XNUMX/XNUMX on the Objective-See blog.

Will old malware also run on my new Mac?

One could quickly conclude that there is very little malware for the new M1 Macs (apparently only known malware) and that these computers are therefore particularly safe. But that's not entirely true. Thanks to Rosetta 2, Apple's own emulator for x86_64 apps for Intel chips, it is of course also possible to “translate” code that was actually made for older Macs. That is why apps and tools that are not made natively for the Apple Silicon but for the Intel architecture also work on the new computers. In addition to benign programs, this also applies to those who have no good in mind. So stay vigilant;)

-
Do you like my blog? Then I would be happy to receive a short review on Google. Easy leave something here for a moment - that would be great, thank you!

Leave a Comment

Your e-mail address will not be published. Required fields are marked with * .