It has been discovered that the first-ever malware designed to specifically drive on the Apple M1 chip is being developed by malicious actors.
Announcing the Apple M1 chip:
When Apple introduced Apple silicon and announced that it would be switching away from Intel processors to start powering its own chips for Macs, the Apple M1 was unveiled. The Apple M1 chip boasts of performance and power efficiency gains in the new processors and stands true to its claims.
However, recent revelations indicate that malicious actors have started adapting malware to target the latest generation of Apple Macs driven by the company processors.
While the cross-over to Apple silicon has demanded developers to build compatible versions of their apps for enhancement and integration performance, threat actors are now engaging in similar mal-efforts to build malware capable of executing domestically on the Apple M1 chips.
Crafted Malware GoSearch22:
Details of the malware state that GoSearch22 is the name of the adware extension that can be added on Safari. It is suspected that the malware was primarily tailored to plague the previous Intel x86 processors but since the transfer, has been ported to run on the Apple M1 chip.
The GoSearch22 extension-malware is a strain of the Pirrit malware and was first sighted in late November 2020.
Experts also confirmed that threat actors were undoubtedly formulating multi-architecture malware so their codes can run on M1 chips. Malicious GoSearch22 adware extension may just be the foremost example of such malware.
Parent adware Pirrit:
The parent adware family of Gosearch22 is Pirrit adware which has been documented since 2016.
It has been observed to be especially notorious in its adware activities for pushing obtrusive and deceptive advertisements to users which, when clicked, downloads and installs unwanted apps on Macs come with data-stealing features.
The severely obscure GoSearch22 adware masks itself as an authentic Safari extension when in fact, it collects browsing data and caters to a multitude of ads such as pop-ups and banners, including a few linking to shady websites to disseminate additional malware.
It was detected that the extension was signed with an Apple Developer ID “hongsheng_yan” to further mask its mal-content, but it has since been invalidated. This means that the extension will no longer run on macOS unless the threat actors re-sign it with a different certificate.
Even if the revelation sheds light on how malware continues to evolve as a follow-up to any type of hardware changes, experts caution that antivirus engines or analysis tools may strive with ARM64 binaries.
GoSearch22’s malware abilities may not be entirely new or dangerous, but the advent of new Apple M1-congruent malware flags this as a start, and more strains are more than likely to emerge in the future.