First malware found for M1 Macs — what to do now [updated]

Tom’s Guide’s favorite tech of 2020
(Image credit: Tom's Guide)

It's a dubious milestone, but the first piece of malware designed to run on Apple's new M1 processor has been found. 

The malware, called GoSearch 22, is adware that hijacks browser search results, injects ads and might possibly also steal data. It often comes secretly bundled with free online software. For the moment, its installation is blocked on the most recent versions of macOS, yet that could change.

GoSearch 22 has been known of for a couple of months, but until independent Mac security researcher Patrick Wardle had a look at its code, it wasn't clear that a second version had been created to run natively on the M1 processor.

"I figured it would make sense that (eventually) we'd see malware built to execute natively on Apple new M1 systems," Wardle wrote in a blog post this past weekend. "Malware authors have now joined the ranks of developers (re)compiling their code to ARM64 to gain natively binary compatibility with Apple's latest hardware."

Fat binaries

The latest MacBook Air, MacBook Pro and Mac Mini use the M1 chip, which is based on the ARM64 architecture. It's a completely different design from the Intel x86-64 processors used by previous Macs. 

Instead, the M1 is closely related to the A13 and A14 chips used on the most recent iPhones and iPads, and more distantly to chips used on Android devices and on earlier iPhones.

Most Mac software written for Intel chips will be translated by macOS Big Sur to run on the M1 chip. But it won't run as fast as software written natively for M1. 

That's why Mac developers are scrambling to include code built for both chip architectures in their software, resulting in "fat" or "multi-architecture" applications that contain two complete sets of binary data. MacOS will select whichever set is appropriate for that particular machine.

Needle in a haystack

Wardle wondered if any known malware was secretly using fat binaries that hadn't yet been spotted. So he searched in the online VirusTotal database for malware that met all the right parameters. 

Among other things, it had to be written for macOS or iOS, contain ARM64 instructions, support more than one chip architecture, be digitally "signed" by an Apple developer and be detected as malware by at least two antivirus engines.

He got more than 200 results, but most were for iOS jailbreaking software that was built to run on both older and newer iPhone/iPad chips. 

One result stood out: GoSearch22. It's a derivation of the older Pirrit adware, first spotted in 2016 and still plaguing Macs. And it's a fat binary with code for both x86-64 and ARM64 chips, indicating it was created to run on Macs rather than iOS devices.

"It seems like fairly vanilla adware," Wardle told Motherboard's Lorenzo Franceschi-Bicchierai. "Its main goal, objective, seems to be related to financial gain via ads, search results, etc."

One online malware-removal guide notes that GoSearch22 is similar to adware that "tend to be designed to collect browsing data" and may display ads that can "download and/or install unwanted apps by executing certain scripts."

That's certainly a concern. But there's no evidence yet that GoSearch22 does steal data or result in more malware being installed on Macs. You do want to make sure it's not on your Mac, however.

Harder to spot

What's more concerning is that while many of the best Mac antivirus programs catch the regular version of GoSearch22, fewer detect the M1-coded version. Wardle uploaded samples of both to VirusTotal, and as of this writing, 16 antivirus engines caught the x86-64 version, 14 the ARM64 one.

"Several industry-leading AV engines (who readily detected the x86_64 version) failed to flag the malicious arm64 binary," wrote Wardle.

All software that runs on macOS Big Sur needs to be digitally "signed" by a registered Apple software developer. That doesn't block malware from being installed — a developer ID is easy to buy or steal — but it does mean that Apple can revoke the developer's certificate, effectively blocking the software.

That's what Apple has done with the GoSearch22 adware. For now, you're safe from it on Big Sur, but that may change.

"As Apple has revoked the certificate, the malicious application will no longer run on macOS (unless of course, the attackers re-sign it with another certificate)," wrote Wardle in his blog post.

How to avoid infection by GoSearch22

To prevent being infected by Mac malware of any sort, pay close attention to the dialogue boxes that pop up on your screen. All software installations on Macs need your permission to proceed, but these dialogue boxes can be disguised to seem like its asking for other things. 

If your Mac is asking for something that has no relation to what you're actually doing at the moment, be suspicious.

You'll also want to avoid downloading random applications straight from the internet because these may have secretly bundled adware or malware that will try to install as well. 

Many of those applications will be blocked for lack of an Apple developer signature, but as we can see by GoSearch22, at least some of it gets through.

You'll also want to install and run Mac antivirus software. It'll create another layer of protection to catch things that might get through Apple's built-in defenses.

And keep in mind that malware developers, no matter which platform they're designing software for, always try to stay several steps ahead.

"Malicious code continues to evolve in direct response to both hardware and software changes coming out of Cupertino," Wardle wrote. "There are a myriad of benefits to natively distributing native ARM64 binaries, so why would malware authors resist?"

Update: Looking to the future

Update: Thomas Reed, an expert on Mac malware with antivirus firm Malwarebytes, offered us his take on the severity of the Mac M1 malware problem.

"I don't think that M1 Mac users should worry too much about M1-native malware," Reed told Tom's Guide. 

Because any M1 malware you'd encounter would come as part of a double-architecture fat binary for the time being, Reed said, "nothing really changes with M1-native malware, other than being able to see which malware creators are most on the ball."

But that could change. 

"In the near future, this isn't a huge issue, as antivirus software can detect the Intel code in a fat binary just as well as for an Intel-only binary," Reed said. 

"However, this does mean that we should anticipate seeing malware creators switch to single-architecture M1-only binaries as a means of evading detection," he added. "Antivirus companies should start thinking now about how they will plan to detect these things when they start to appear in the future."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.