It’s barely been a few months since Apple launched the first wave of Mac hardware powered by the in-house M1 silicon, but malware targeting it has already been spotted in the wild. First spotted by cybersecurity researcher Patrick Wardle and subsequently detailed on Objective-See, the M1 malware was actually disguised as a Safari extension that was originally compiled for systems running x86-based Intel processors and was later recompiled for the ARM ecosystem to run natively on the new Macs.
The security community doesn’t have signatures to detect these threats yet
The full application bundle that was source of the malware was called GoSearch22.app, whose certificate Apple has now revoked. While the risk posed by this specific malware is not too high now, the fact that it has been discovered in the wild is the more worrisome aspect. First, it is quite evident that this recompiled malware had been targeting Macs based on Intel as well as Apple’s own M1 silicon, which means its reach is far wider.
Second, and the more scary side of the latest discovery is that malicious parties have already started working on malware that targets the ARM-based M-series silicon that will now appear in more Macs in the years to come. While that is definitely alarming, the situation becomes ever more tricky for cybersecurity experts and firms that make malware-detecting tools, because they don’t know much about M1 malware signatures, the likes of which have just been discovered in the open.
Malicious actors are already making malware targeting M1 Macs, which is worrisome
And with little to no knowledge about the threat they face, it is difficult to make a suitable software solution that can effectively target and eliminate the impending wave of malware targeting the M1 Macs. “Secondly, and more worrisomely, (static) analysis tools or anti-virus engines may struggle with arm64 binaries”, Wardle notes in his in-depth analysis.
“Watching malware make the transition from Intel to M1 rapidly is concerning, because security tools aren’t ready to deal with it. The security community doesn’t have signatures to detect these threats yet, since they haven’t been observed,” Tony Lambert, intelligence analyst at security firm Red Canary was quoted as saying by WIRED. Additionally, researchers from the aforementioned firm are also said to be investigating another native M1 malware that looks distinct from the corrupt Safari extension.