First native Apple Silicon malware discovered

The first native Apple Silicon malware built to execute on Apple’s new M1 Macs has been discovered by security researcher Patrick Wardle.

The new MacBook Air, 13-inch MacBook Pro, and Mac mini are now powered by M1, Apple’s revolutionary chip.
The new MacBook Air, 13-inch MacBook Pro, and Mac mini are now powered by M1, Apple’s revolutionary chip.

Michael Potuck for 9to5Mac:

Patrick shared how he went about finding the new Apple Silicon specific malware and why this matters.

As I was working on rebuilding my tools to achieve native M1 compatibility, I pondered the possibility that malware writers were also spending their time in a similar manner. At the end of the day, malware is simply software (albeit malicious), so I figured it would make sense that (eventually) we’d see malware built to execute natively on Apple new M1 systems.

Before going off hunting for native M1 malware, we need have to answer the question, “How can we determine if a program was compiled natively for M1?” Well, in short, it will contain arm64 code! OK, and how do we ascertain this?

One simple way is via the macOS’s built-in file tool (or lipo -archs). Using this tool, we can examine a binary to see if it contains compiled arm64 code.

After passing a few more checks, Patrick was able to confirm this is malware optimized for M1 Macs.

Hooray, so we’ve succeeding in finding a macOS program containing native M1 (arm64) code …that is detected as malicious! This confirms malware/adware authors are indeed working to ensure their malicious creations are natively compatible with Apple’s latest hardware. 🥲

MacDailyNews Take: It was only a matter of time. The good news is that no malware has ever run more efficiently. 😉

Note that Wardle reports that what is not known is whether Apple notarized that code. That’s unknown, because at this time Apple has (now) revoked the certificate, but what we do know is that “this binary was detected in the wild (and submitted by a user via an Objective-See tool) …so whether it was notarized or not, macOS users were infected.”

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.