A few months ago Apple released its new MacBook Air, MacBook Pro and Mac Mini powered by ARM-based CPU, Apple M1. However, it looks like the new devices are not spared by online hackers. In a recent interview by Wired (via ArsTechnica), Mac security researcher Patrick Wardle discovered a M1 native version of the long running Mac-targeted Pirrit adware family.
It has been mentioned that most existing macOS malware can run on the M1-equipped Mac devices via Rosetta 2. In addition, multiple authors don’t care about the CPU cycles in your device. However, targeting an adware directly for the chipset still has some benefits. The more efficient code is, the more difficult it becomes to spot.
Wardle used a researcher account at VirusTotal to look for M1-based malware. Although the search result mostly produced iOS targeted malware, Wardle did manage to find a Safari extension called GoSearch22. The application reportedly bundles Info.plist file confirming that it was indeed macOS application and not iOS.
Also read: Intel takes on Apple in new ad campaign mocking Macs for features they lack
The app was signed with Apple developer ID ‘hongsheng_yan’ in November 2020. However it is not for sure if Apple notarised it since the company has revoked the certificate. And since the certificate has been revoked, the version of GoSearch22 won’t run on macOS anymore. Until unless the author manages to sign it with another developer key.
As mentioned in the report, the GoSearch22 Wardle found triggered 24 different malware detection engines, 17 of which were ‘generic’ but the remaining seven matched it with signatures for the Pirrit adware family.
For those unaware, Pirrit is a long running malware family that began on Windows but eventually made its way to macOS. Its presence on macOS was first reported by researchers in 2016. Once the user installs the software based on Pirrit, which can be anything ranging from a fake video player to PDF reader, or a safari extension in this case, the users’ default engine is changed to something different and unhelpful.
In addition, their web browser usage is tracked and their visited web pages are infested with unwanted ads. Once installed, the malware uses tricks to stay installed and undetected. The malware also seeks out and removes applications and browser extensions that can possibly interfere with it.