Jamf Blog
Are you ready? spelled out in wooden blocks
February 17, 2021 by Matthias Wollnik

Malware adapts. Even to the M1 chip.

Malware authors are rebuilding malware for M1 as universal binaries, and endpoint protection must meet the charge.

Benefits of the M1 Chip and a universal binary

Here at Jamf, we have been spending a lot of time looking at the benefits that Apple’s new M1 silicon brings to the Mac ecosystem. While the security benefits for M1 are pretty clear, much of the conversation around this new architecture has been focused on developers needing to adapt their software to support M1 directly.

macOS apps come in two primary flavors:

  • Those that support Intel-based Mac devices
  • Those that support both Intel and M1-based Mac devices: also referred to as a universal binary.

When a user attempts to run an application that was designed only with the Intel platform in mind on an M1 device, macOS uses a translation layer known as Rosetta 2 to translate the binary. However, this has the potential to introduce performance issues and bugs since the developer does not generally validate this way of running their app. Developers are hurrying to rebuild their apps as universal apps. This will not only ensure they run flawlessly on M1 devices but also take advantage of the speed of M1 devices running purpose-built apps.

Enterprising malware developers are rebuilding their malware for universal binaries

We are now starting to see malware developers take advantage of all the performance M1 brings to any software running on those devices.

Patrick Wardle detailed his hunt for malware supporting M1 in a new blog post on the subject. To make a long story short: malware authors are rebuilding malware for M1 as universal binaries.

The specific piece of malware he discovered was a variant of the Pirrit adware (calling itself GoSearch22.app). While the specific sample discovered seems to have been captured as part of an incident response process in late December 2020, it was signed (with a now revoked certificate) back in November 2020. On the positive side, since the universal binary was built to run on both Intel and M1 devices, which is not required, most anti-virus engines — including Jamf Protect — correctly identify this variant of Pirrit and block it.

Only the beginning: malware authors will keep up their efforts

The M1 component of the universal binary in question was identified by fewer anti-virus engines and introduced new challenges for any kind of automated analysis these kinds of tools may use. It is to be expected that malware authors will continue to push the envelope in attempting to avoid detection while leveraging the performance boost of the M1 architecture. This introduces new challenges for anti-virus tools that are not designed from the ground up to detect attacks and malware for Mac.

Get purpose-built Mac endpoint protection with Jamf Protect.

Photo of Matthias Wollnik
Matthias Wollnik
Jamf
Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.