News of the first M1 malware comes via ex-NSA researcher and longtime Mac security researcher Patrick Wardle, who has uncovered the existence of GoSearch22.app, an M1-native version of the longstanding Pirrit virus.
“Today we confirmed that malicious adversaries are indeed crafting multi-architecture applications, so that their code will natively run on M1 systems,” says Wardle in a blog post. “The malicious GoSearch22 application may be the first example of such natively M1 compatible code.”
Wardle notes that the adware – a type of malware that generates revenue by spamming users with pop-ups and adverts – was signed with an Apple developer ID, a paid account that allows Apple to keep track of all Mac and iOS developers, on November 23.
Having a developer ID also means Having a user downloading the malware wouldn’t trigger Gatekeeper on macOS, which notifies users when an application they’re about to download may not be safe.
What’s more, Wardle says that a number of current antivirus systems that could spot the Intel versions of the Pirrit virus failed to identify the M1 version.
“Certain defensive tools like antivirus engines struggle to process this ‘new’ binary file format,” Wardle says. “They can easily detect the Intel-x86 version, but failed to detect the ARM-M1 version, even though the code is logically identical.”
Apple has yet to respond to Wardle’s findings, but the the company has revoked the GoSearch22 certificate.
The first M1 malware has likely arrived sooner than many expected, as hackers typically look to exploit lucrative targets. Apple only introduced its first M1 Macs in November, and the ARM-based chip is currently limited to the latest models of the MacBook Air, MacBook Pro and Mac mini.
Thankfully, for the few that already own an Apple Silicon Mac, the GoSearch22 threat doesn’t seem too dangerous. However, it’s undoubtedly a sign that more M1-native malware is on the horizon.