The first malware to specifically target MacBook Pro, MacBook Air and Mac Mini with the new M1 chip have just been discovered. Adware originally written for Intel Macs is actively targeting M1 Macs. It may not yet be detected by your antivirus software.
Do you remember the “I am a Mac, and I am a PC” advertisements (see video at the end of the article)? Behind the caricature that presents macs as totally immune to viruses, there is a more nuanced reality. All platforms, including Macs and iPhones, are targeted by malware. There is, however, a background of truth: in volume, the number of malware that targets Macs is much lower than the cohort of malicious programs that target Windows.
The macOS operating system is in itself very secure, and most of the malware seen on mac mainly affects a limited number of applications, such as web browsers. In addition, macs have a very small market share, which makes them less attractive to hackers. Many antiviruses exist yet on macOS, even if their installation is not officially recommended by Apple.
Adapting malware to the new M1 macs is surprisingly easy
After all, antiviruses do impact performance, and if they prove to be unnecessary 99% of the time, it makes sense to install them only when you suspect an infection. Because of the already privileged status of macs in terms of malware, one would have thought that the M1 Macs and their ARM chip would add an unprecedented degree of protection against current malware.
However, according to several security researchers Thomas Reed of Malwarebytes, Patrick Wardle, and researchers at Red Canary), we must not be wrong: Apple has done everything to facilitate the porting of x86 applications to the new architecture thanks to the Rosetta 2 system. It is also very easy to recompile malware in Xcode for the new ARM architecture. Adapting malware for M1 macs is therefore child’s play.
And so it is in this context that several malware have been discovered. We have at least one malware report sent to an antivirus database a few weeks after the release of M1 Macs. But another malware is actively exploited in the wild. It’s about a Safari extension named GoSearch32 – which is part of the AdWare Pirrit family. Fortunately, it is not very bad, but it may not yet be detected by anti-virus programs.
This is, you will understand, a direct adaptation of the same malware for Intel macs. “To observe that malware also makes its transition from Intel to M1 so quickly is worrying, because security tools are not ready. The security research community does not yet know the signatures that allow the detection of these hitherto unseen threats ”says Tony Lambert, a researcher from Red Canary.
Also read: Windows Defender ATP – Windows 10 antivirus is coming to Macs
Why not all antiviruses detect M1 versions of viruses yet
For Malwarebytes researcher Tomas Reed “It was inevitable anyway. Compiling for M1 can be as easy as pressing a button in project settings [Xcode]. And honestly I’m not at all surprised that it first happened through a variant of Pirrit. It is one of the most active adware families on Mac, and one of the oldest, and they are constantly changing to avoid detection ”.
For Patrick Wardle: “Some defensive tools like antivirus software still struggle to scan the ‘new’ format of executable binary files on M1 Macs. They can easily detect the Intel-x86 version, but fail to detect the ARM-M1 versions, even though the code is logically identical ”. So what if you have a Mac M1?
The first piece of advice is not to panic. The first malware examples described for M1 macs do not pose really critical security concerns. We note that the main vector of this malware is currently extensions for internet browsers. An area in which Apple can act. The certificate of the GoSearch32 extension has thus been deleted, which now prevents its use in Safari.
It is especially important to observe the behavior of your computer. If you find that something has changed, that ads are showing for no reason, or that your Mac M1’s performance has significantly reduced, it may be a sign of malware. It is then advisable to try an antivirus scan. If this is necessary, given the risk that all antivirus programs are not yet up to date on the definitions, we recommend that you try several scans with different programs, for example Malwarebytes, Avira and Avast.