In just three months, hackers have debuted at least two strains of malware designed to attack Apple’s new M1 chip.
Noted Mac security researcher Patrick Wardle published a blog Feb. 14 noting that a Safari adware extension that was originally written to run on Intel x86 chips was revamped to run on the new M1 chips. According to Wardle, the malicious GoSearch22 extension was traced to the Pirrit Mac adware family.
Along with the Pirrit Mac adware, researchers from Red Canary posted a blog Thursday about a different malware strain – Silver Sparrow – that differs from the one found by Wardle. The Red Canary researchers said while Silver Sparrow has not released any malicious payloads yet, it's poised to unload malicious payloads at a moments notice. According to data provided to Red Canary by Malwarebytes, Silver Sparrow had infected 29,139 macOS endpoints across 153 countries as of February 17, including high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany.
Apple introduced the M1 in November 2020 on the MacBook Pro, MacBook Air and Mac Mini. The new chip, which runs on reduced instruction set computing (RISC) technology, was developed by Advanced RISC Machines (ARM), which makes 32-bit and 64-bit versions.
These developments are interesting for at least two reasons. First, the M1 chip represents a break from the Intel x86 architecture that Apple has relied on since 2005 – a move that came with promises of greater security. And second, the mere fact that in such a short time malware has emerged for the new M1 chip was cause for security pros to take note.
The ability of the malware developers to reverse engineer the M1 chip in just three months sets a blistering pace, said Kevin Dunne, president of Greenlight. While the footprint of the malware is still minimal, Dunne said it will certainly evolve over time to exploit more attack vectors.
“Once bad actors have control of the physical device, they can use that device as an access point to the networks that machine is connected to, either physically or via VPN,” Dunne said. “This reinforces the need for additional protection at the application layer, to constantly assess activity within those applications for unusual behavior, and mitigate potential risks in real time.”
Malware developers and distributors are getting creative in the way they develop and distribute sophisticated products and applications, just like legitimate companies, added Jon Gulley, application security penetration tester at nVisium.
“As such, it’s not unsurprising that just as Apple continues to evolve its processors and reach broader categories of users, both consumer and business, so too will the evolution and shift in malware development adapt to the adoption of the M1,” Gulley said. “There’s plenty of profit for malicious actors to reap by simply following such market trends to develop malware variants they can port across processors."
News of the second malware strain emerged the same day that Apple unveiled the latest version of its Platform Security Guide, which points to a number of M1-related capabilities.