Back in November 2020, Apple introduced its own M1 chip to power its computers.
Breaking up with Intel after 15 years powering its Mac computers, the processor holds a lot of promise. Most notably, its architecture that uses ARM's, allows it to perform a lot similar to an iPhone that it is to an older Mac.
One of the main advantages, is the speed it can achieve.
The M1 chip has been benchmarked on AnTuTu, and became the first to break the 1 million points mark.
Months later, malware authors are already targeting the shiny new hardware directly.
It was independent security researcher Patrick Wardle who discovered the first M1-native malware.
In a blog post, he said that he used a researcher account at VirusTotal to look for instances of M1-native malware.
The actual search he used was type:macho tag:arm tag:64bits tag:multi-arch tag:signed positives:2+. He used this to find any software signed by Apple, and uses multi-architecture executables that include 64-bit ARM code, and have been flagged by at least two antivirus engines.
At first, the results were occupied by malware targeting iOS with support for more than one ARM architecture.
But when he narrowed the results down, he found a Safari extension called 'GoSearch22'.
The application bundle with a Info.plist file, in which Wardle later confirmed that it was a macOS app and not an iOS app.
The M1-native malware Wardle found, triggered 24 separate malware detection engines. 17 of the 24 positives were "generic", and the remaining 7 were having the same signatures with the Pirrit adware family.
The app was signed with Apple developer ID hongsheng_yan in November 2020.
It should be noted that ARM processors differ from Intel's.
Apple M1 that is powered by ARM, has a very different Instruction Set Architecture (ISA) than what traditional x86 desktop and laptop CPUs have. What this means, software that is designed to run on one ISA cannot run on other architecture without help. M1 Macs can run x86 software with a translation layer called Rosetta, for example.
.
When it comes to malware, there is a saying that says Apple’s computers are largely immune to malware.
While that is incorrect, it's true that Macs and malware aren't all that common if compared to Windows.
But still, malware can be anywhere, in all operating systems, old and new.
And in this first-ever M1 malware case, Apple has revoked its certificate.
With its certificate revoked, this version of GoSearch22 should not be able to run on macOS anymore.
The second known malware that targets M1-powered computers, was called the 'Silver Sparrow'. It was found less than a week later.