Apple Macs are becoming more popular in the workplace, and the number of malware variants targeting macOS is increasing as well. However, the M1, Apple's new system-on-a-chip, has produced a new generation of macOS-specific malware that anti-malware tools, threat hunters, and researchers must swiftly learn to recognize and, eventually, fight. Historically, most macOS malware has been reused from Windows malware variants. But when employees built up home offices as a result of the pandemic's shift to work-from-home, more Macs entered the industry, making them a more valuable target for attackers targeting enterprises.
Apple's new ARM64-based microprocessor, the M1, has already witnessed an increase in malware types created expressly for it, according to Mac security specialist Patrick Wardle. "As attackers evolve and change their ways, we as malware analysts and security researchers need to stay abreast of that as well.” In 2020, around half of all macOS malware, such as adware and nation-state attack code, may have migrated from Windows or Linux.
M1 offers faster and more efficient processing, graphics, and battery life, and is now available in Apple's new Macs and iPad Pro. It also has several new built-in security mechanisms, such as one that protects the computer from remote exploitation and another that protects physical access.
According to a recent Malwarebytes survey, Windows malware detections are down 24% among business users, while Mac malware detections are up 31%. Wardle discovered in his research that when he separated the binaries for macOS malware into two categories, one for Intel-based Macs and the other for M1-based Macs, anti-malware systems detected the Intel-based malware more successfully than the M1-based malware, despite the fact that the binaries are "logically the same."
For the M1 malware, their detection rate dropped by 10%. That's a clue, he says, that existing antivirus signatures are mostly for the Intel edition of the macOS malware, rather than the M1 variant. Because static analysis alone can fail, detections should also use behavior-based technology.
It's a matter of honing malware analysts' and threat hunters' skills to the new Apple silicon, he says. With reverse-engineering abilities and an awareness of the ARM64 instruction set, he says he wants to "empower Mac analysts, red teams, and everyone in cybersecurity." Wardle says, "The M1 system actually does significantly improve security at the hardware level, but it's transparent to the everyday user."