Spotlight on Security: Malware and Anti-Malware for Apple Silicon
In late 2020, Apple started selling laptop, desktop and all-in-one Mac computers with a new type of ARM-based processor, called the M1. It is expected to be the first in a whole new range of such CPUs, collectively known as Apple Silicon. The change from Intel processors is believed to be partly so that Apple had complete control of their entire manufacturing process. However, the new M1 processors bring a number of technical improvements as well.
Firstly, they are faster than comparably-priced Intel processors. Secondly, they are more energy efficient. This not only makes them more environmentally friendly, but also means that Mac laptops will provide better battery life for the same performance. A knock-on effect of this is that the new M1 processors do not get so hot in use. This leads to further advantages; without the need for a fan, it is easier to make very thin and light laptops such as the MacBook Air. It also means that users will not be irritated by fan noise whilst working.
M1 processors and the macOS operating system
The change in processor architecture meant that Apple’s current operating system, macOS 11, had to be modified to work with the new Apple Silicon CPUs. This is because they use a different instruction set from Intel-based Macs. Consequently, macOS 11, also known as Big Sur, was adapted so that it would work on both Intel-based Macs and the new Apple Silicon models. In practice, many users will not notice the difference. The operating system looks and works exactly the same on both types of Mac, with one minor exception, explained below.
Apple Silicon Macs and applications
Not only the operating system, but also applications for Apple Silicon Macs need to use a different instruction set from the versions designed for Intel-based Macs. However, many apps written for Intel-based Macs can also run on Apple Silicon Macs, by using Apple’s Rosetta 2 software. This is an emulation layer that translates instructions for Intel processors into the commands that are used by Apple Silicon processors, and vice-versa. Rosetta 2 is not installed by default on macOS Big Sur. However, as soon as the user tries to run a program designed for Intel Macs, they will be prompted to install it. Installation is extremely simple, and completes in seconds. Once Rosetta 2 has been installed, any additional programs designed for Intel Macs will be able to use it, without any further action being required of the user.
As a result of Apple developing Rosetta 2, there are two types of app that can work on Apple Silicon Macs. These are defined by Apple as “Universal Apps” and “Intel Apps”. Universal Apps are specifically written to run natively on Apple M1 chips. They are called “Universal” because the installer file normally contains two separate versions, one for older Intel-based Macs, and one for the new Apple Silicon Macs. The correct version to be installed will be selected automatically by the setup wizard. Intel Apps are written for Intel-based Macs only. However, these may be able to run on Macs with M1 processors by using Rosetta 2. Please note that any references to “Intel Apps” in this report simply mean that the app was intended to run on Macs with Intel processors; they are NOT intended to imply that the Intel company was involved in developing them.
Malware for Apple Silicon Macs
Sadly, cybercriminals were quick to find ways of attacking Macs that use the new processors. As early as March 2021, just a few months after the first M1 Macs were released, reports emerged of malware specifically targeting the new platform being found in the wild. Whilst the number of such malicious programs was very low – and one of the first ones to emerge appeared to be merely a harmless proof-of-concept experiment – it was clear that the new Mac platform would not be immune to threats.
There is also another means by which cybercriminals might be able to attack Mac systems with M1 chips. An unfortunate and unintended side-effect of installing Rosetta 2 on an Apple Silicon Mac is that this might allow some malware written for Intel Macs to run as well. Thus, users who run Intel Apps on Macs with M1 processors might feel that installing an antivirus program is particularly advisable.
AV-Comparatives investigate anti-malware programs for M1-based Macs
Given the existence of malware that targets Apple Silicon Macs, and the possibility of malware written for Intel-based Macs running via Rosetta 2 if this is installed, AV-Comparatives have researched which antivirus programs are currently compatible with Macs that use the Apple Silicon M1 processor.
To test which AV apps function correctly with Apple Silicon Macs, AV-Comparatives ran a functionality check of popular AV programs for macOS. The list of AV apps checked was naturally not exhaustive. We used a late-2020 Mac Mini with an Apple Silicon M1 chip, running a clean, fully updated installation of macOS Big Sur 11.5.2. We pre-installed the Rosetta 2 emulation software that allows apps designed for Intel processors to run on M1 Macs. To find out how each app reacts when malware is detected, we used a very small selection of highly prevalent, recent Mac malware that will run on this version of macOS. Please note that this was NOT a test to determine how many samples were detected, although all the apps we have listed as compatible detected the majority of the samples we used.
We installed each antivirus app on the clean-base system, carefully following the respective vendor’s instructions for granting system permissions such as Full Disk Access. When installation was complete, we ran a manual update of malware signatures (where available), and then restarted the Mac. Next, we disabled the respective app’s real-time protection, then noted whether a warning was shown, and if the protection could be reactivated using the “Fix All” button provided by the vendor. We reactivated real-time protection for the remainder of the checking process.
After that, we attempted to copy malware samples from a network share to the Desktop folder of our macOS system. If any of the malware samples were not detected by on-access protection during the copy process, we executed them. Next, we repeated this procedure, but using malware samples on a connected USB flash drive rather than a network share. Finally, we ran an on-demand scan of malware samples on a connected USB flash drive.
Please note that this is by no means an exhaustive list of all possible functions or malware detection scenarios. Furthermore, AV-Comparatives cannot take any responsibility for the correct functioning of any of the apps mentioned here. We advise readers to check up-to-date system requirements on the respective vendor’s websites before installing, and to install a trial version of any app before making a purchase. We also recommend backing up important data, and making a disaster recovery plan (such as creating an appropriate bootable macOS installer drive) first.
Finally, as noted above, the functionality check we ran for this report is not a malware detection test. We used only a handful of Mac malware samples, and even if an AV app had detected only one of these, this would have been sufficient as a proof of concept, to demonstrate that protection mechanisms were working. Our 2021 Mac Security Test and Review, which was conducted using Intel-based Macs, will provide a guide to the detection rates provided by some of the Mac AV apps listed here. https://www.av-comparatives.org/tests/mac-security-test-review-2021/
To pass our Apple-Silicon-compatibility check, each program had to do the following:
• Install successfully without requiring specialist technical knowledge or workarounds
• Provide clear instructions for granting necessary permissions in the macOS Settings app
• Activate real-time protection
• Successfully update malware signatures, either automatically or manually
• Allow the user to log in to the vendor’s user account where necessary
• Warn if real-time protection is disabled, and let the user reactivateit using the button provided
• Detect at least some of the highly prevalent malware samples, at the latest on execution
• Display appropriate detection alerts
• Delete or quarantine detected malware samples
The program compatibility information provided in this report was correct at the time of publishing (late August 2021). However, it is to be expected that vendors whose products are currently not compatible with Apple M1 chips, or who do not officially support them at the moment, will release compatible/supported versions in the near future.
We have listed apps that passed our functionality check in four categories:
1. Universal Apps that are explicitly supported by their respective vendors. That is to say, in each case the vendor’s website states that the respective app is natively compatible with Apple Silicon Macs. This may be shown on the system requirements page; alternatively, the download page may sense the platform being used, and state that the app is compatible with it.
2. Intel Apps that are explicitly supported by their respective vendors. Here, the vendor states that the program is compatible, on the assumption that Rosetta 2 is installed.
3. Universal Apps that are not explicitly supported by their respective vendors. In this case, each app has clearly been written to perform optimally on Apple Silicon Macs, but the respective vendor does not include Apple M1 chips among the stated system requirements for that app.
4. Intel Apps not explicitly supported by their respective vendors.
List of AV apps for M1 Macs that passed AV-Comparatives’ functionality check
Please note that programs are listed alphabetically within each category. The version number given for each app refers to the version we used in our functionality check.
1. Universal Apps explicitly supported by their respective vendors
AVG AntiVirus FREE for Mac 19.9
Avira Free Security for macOS 1.7.4
2. Intel Apps explicitly supported by their respective vendors
Sophos Home for Mac 10.0.4a4
3. Universal Apps not explicitly supported by their respective vendors
Avast Free Security for Mac 14.10
Intego Mac Internet Security X9 10.9.53
K7 Antivirus for Mac 1.2
Kaspersky Internet Security for Mac 220.127.116.11
4. Intel Apps not explicitly supported by their respective vendors
Clario Mac Keeper 5.6
ESET Cyber Security 6.10.700.0
F-Secure SAFE 17.10
G Data Antivirus Mac 1.3.2655
McAfee Total Protection for macOS 4.11.11
NortonLifeLock Norton 360 Standard 8.6.6
Total AV for Mac 5.4.25
VIPRE Advanced Security for Mac 11.0.27