M1 Mac Malware — The Truth!

First malware running on M1. First Malware design for M1. First M1 Malware has arrived. First M1 malware discovered. M1 faces first malware. First. First. First in YouTube comments First!

But other than being first to scream first onto the internet, what does this really mean for M1, the Mac, and most importantly — us?

Only a small percentage of you watching are actually subscribed, so do me a solid and hit that button and bell, so we can build the biggest and best community in tech, together.

The internet has exploded with M1 Mac malware headlines this week, from the genuinely informative to the pathetically sensational. Like, from in depth-technical explainers to O.M.G I’m throwing my M1 in the trash fire now. D.E.D. DED.

And I’ll explain what it all actually means in a hot minute, but I get it, I totally get it, the first time anything new happens it’s… news by definition, and if it involves Apple, it’s big news. I mean, never mind if it bleeds-it-leads, if it’s Apple it’s clickable. And that’s actually really good for Apple customers — the more and higher the scrutiny Apple’s under, the better for us. I high key wish every company got the same amount of security so every customer would get the same benefits from that scrutiny. Currently, it’s just another advantage of buying from Apple.

At the same time, I also firmly believe that with great audience comes great responsibility. That if you have a platform you shouldn’t use it to scare or stress people but to educate and empower them. In other words, the headline will get you the click, it’s what you do after that that defines you.

So, let’s dig into exactly what’s happening here …

First, Malware means malicious software, in other words, any code designed to damage or compromise your computer. There are viruses and Trojan horses that want to get in and take over various levels of control, spyware that wants to steal your data, ransomware that wants to hold your data hostage, and adware that wants to jack money from your clicks.

Originally, malware was far more common on Windows than Mac because Windows was far more common than the Mac. And the people making the malware wanted to spend their time on the biggest, most valuable, then-most vulerable market possible. But, with the increasing power and importance of web browsers, the explosion of iOS, and the high value of mass-market Apple customers, it became more and more economical to target the Mac as well, even specifically.

Hence, the Mac malware we’ve seen creeping, coming up over the last few years. And with it, Apple’s escalating efforts to keep Mac users safe.

Because, where the iPhone and iOS were designed to be little crypto bricks from the start, the Mac originated as a relatively open computing system, and that required Apple’s security teams to think.. different.

Over the years, that’s included sandboxing, to prevent code from spreading from one app to another. Gatekeeper, to prevent unauthorized apps from running without our express permission, system integrity protection and read-only system volumes to prevent code from modifying the operating system, system extensions and DriverKit to keep modifications out of kernel space and move them into user land, a permission system so apps have to ask before they can access files. And XProtect, Notarization, an MRT, the malware removal tool, which try to prevent malware from getting onto the Mac to begin with, allow Apple to scan apps before they’re distributed and revoke certificates to stop them running if they later turn bad, and even remove or remediate known infections if they somehow still land.

While some of this… defense in depth… like Gatekeeper and permissions are wicked obvious because they popup and pop off so damn always, other things like XProtect and MRT work quietly in the background so you may not even know they’re there.

And, ultimately, malware is just code. If it runs on Intel, chances are it can run through Rosetta2 on the M1, or the developer can use the same tools any developer uses to port that code to Apple silicon. From x86 to ARM64.

A tool is… just a tool. Apple makes excellent, excellent tools. That why we have so many apps ported over to M1 already. Even big, sophisticated apps. But even the best tools can and will be used for bad things.

So, just like any other code, any other apps, someone used those excellent tools to port not a utility or game from Intel to M1, but malware.

Which is absolutely super frustrating, really an inconvenience, but not surprising or even unexpected. Not in the least. Not if you understand even the basics of how any of this works. Which everyone covering it really, really should.

Same goes for Silver Sparrow, the second bit of malware to get attention this week, discovered on both Intel and the M1 Macs. Because, again, code can be ported. That’s how code works.

And Apple can pull the certificate to stop it. That’s how the system works… how it’s working as intended.

But the other part of the story here, the part that isn’t getting as much attention, is that while the code may be ported, the environment it’s being ported to is very different.

M1 is the same silicon generation as A14 Bionic, the chipset in the iPhone 12. And that doesn’t just translate to very high levels of performance efficiency, it also translates into very high levels of hardened security.

Instead of Apple having to do a lot of more complex mitigations in software, the way they’ve had too with Intel chips in the past, now they can do them from the silicon-on-up as well. Just like they’ve been doing it on the iPhone and iPad for years.

That means, instead of flinging malware at a semi-detached wood cabin, they’re now flinging it at a not-so-little crypto brick. There will still be issues, there will still be holes, the will still be bugs and exploits, and Apple will still be judged on how fast their red teams respond to all of them every time. But the Mac in standard mode, the way the vast majority of mainstream customers will be using it, starts off on a much, much better security foundation. And that’s a huge benefit to everyone using M1.

Plus, Apple works continuously on new and improved systems as well, like what’s coming in iOS 14.5. Namely, Blastdoor, which will protect against things like unicode rendering bugs and malicious payloads in iMessage, and also new protections again zero-click attacks.

And on M1, all that gets the advantages of the silicon-based security engines as well.

Now, I’m trying to keep this relatively high-level, because my goal here is to make sure everyone is informed about the existence of malware targeted at all Macs, including M1, but not made to feel afraid simply, unremarkably, just because it exists, because attention jacking is really just another form of malware.