Three months after Apple launched its new M1 system-on-a-chip (SoC), cybercriminals have developed what may be the first malicious macOS application targeting the mobile giant’s first in-house silicon.
The recently uncovered malicious application, called GoSearch22, natively runs on M1 — meaning that it executes software written for M1-powered devices’ natural, basic mode of operation. The main differentiator here is that the application includes code tailored to run on ARM-based M1 processors – rather than only the Intel x86 processors previously utilized by Apple.
The application downloads a variant of Pirrit, which is a type of adware. Mac-targeting adware, which displays pesky advertisements on user computers, is a prevalent and continuous threat for Apple devices. Apple has since revoked the certificate for the malicious application.
“Apple’s new M1 systems offer a myriad of benefits, and natively compiled arm64 code runs blazingly fast,” said Apple-specializing researcher Patrick Wardle, who discovered the application, on Wednesday. “Today, we highlighted the fact that malware authors have now joined the ranks of developers …(re)compiling their code to ARM64 to gain natively binary compatibility with Apple’s latest hardware.”
What is the Apple M1 SoC?
Launched in November, the Apple M1 is the first ARM-based silicon designed by Apple, which is now the central processing unit for its Mac devices.
Starting back in 2006, Apple devices ran on Intel processors. But last year, Apple launched its own ARM-based silicon processors for its Mac lineup in an effort to achieve better technology integration, speed and efficiency.
Specifically, M1 supports an ARM64 instruction set architecture.
The M1 is deployed in the latest generations of Apple’s MacBook Air, Mac mini and MacBook Pro devices. However, many applications still run on the older Intel CPU x86_64 instructions, used by previous generations of Apple devices.
What Does ‘M1 Native Code’ Mean?
To help application developers whose apps are targeted for the older Intel set of instructions, Apple has released Rosetta, a process that translates Intel’s x86_64 instructions into native ARM64 instructions – so older applications can run seamlessly on M1 systems.
According to Apple, if an executable contains only Intel instructions, macOS automatically launches Rosetta and begins the translation process. The system then launches the translated executable in place of the original.
However, non-ARM64 code cannot run natively M1 systems and needs to be translated first – and this can lead to slower load times. That means developers who want their applications to run quickly and natively on M1, rather than go through the Rosetta process, must re-compile their applications. And so do malware authors.
“Based on the fact that native (ARM64) applications run faster (as they avoid the need for runtime translation), and that Rosetta (though amazing), has a few bugs (that may prevent certain older apps from running), developers are wise to (re)compile their applications for M1,” said Wardle.
In order for a binary to natively run on these M1 systems, it must be compiled as an Mach-O universal binary. Mach-O, which is the native executable format of binaries for Mac operating systems, is also known as a “fat binary,” which means that it contains universal code native to multiple instruction sets. That means that it can be run on multiple processor types — so a Mach-0 binary supports both ARM64 and x86_64 (rather than only x86_64) instruction sets.
GoSearch22 Application
Wardle found one such binary by searching on VirusTotal (using the search query type:macho tag:arm tag:64bits tag:multi-arch tag:signed positives:2+). Upon sifting through the VirusTotal results, Wardle found GoSearch22, a full macOS application bundle that can run natively on M1 systems. GoSearch22 was signed with an Apple developer ID (hongsheng yan) in November.
“This confirms malware/adware authors are indeed working to ensure their malicious creations are natively compatible with Apple’s latest hardware,” said Wardle.
Upon further inspection, Wardle found that GoSearch22 executes Pirrit, which once launched, installs itself as a malicious Safari extension. It creates a proxy server on infected Mac computers and injects ads into webpages.
Pirrit dates all the way back back to 2016, but has continued to evolve over the years. In 2016, researchers also linked a variant of the Pirrit adware for Mac OS X to an Israeli online marketing company called TargetingEdge, which is still in stealth mode.
“What we do know is as this binary was detected in the wild… so whether it was notarized or not, macOS users were infected,” said Wardle.
Future M1 Binaries
After uploading both binaries (ARM64 and x86_64) separately to VirusTotal and initiating scans of both, Wardle found that detections of the ARM64 version dropped 15 percent when compared to the standalone x86_64 version. This means that several antivirus engines failed to flag this binary.
The fact that security detectors are struggling to keep up could present security concerns in the future as more cybercriminals focus their attention on M1-targeting ARM64 binaries.
“While the x86_64 and ARM64 code appears logically identical (as expected), we showed that defensive security tools may struggle to detect the ARM64 binary,” he said.
Mac-Targeting Cybercriminal Innovation Plagues Apple
The malicious app sheds light on the rapid innovation on the part of cybercriminals.
In December, researchers uncovered a zer0-click Apple zero-day flaw, used in a spyware campaign against Al Jazeera journalists. In July, a new malware sample was discovered, dubbed EvilQuest, that researchers say may be ushering in a new class of Mac malware.
And in August, a campaign aimed at Mac users was discovered spreading the XCSSET suite of malware, which has the capability to hijack the Safari web browser and inject various JavaScript payloads that can steal passwords, financial data and personal information, deploy ransomware and more.
Below, Wardle talks to Threatpost about the newest tactics used by cybercriminals in abusing Apple technologies, developing malware and creating “powerful” iOS bugs.
Is your small- to medium-sized business an easy mark for attackers?
Threatpost WEBINAR: Save your spot for “15 Cybersecurity Gaffes SMBs Make,” a FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.