First malware to infect Apple's M1 processor has been spotted

XDA

Apple M1 Macs face their first malware via an adware extension

By Kunal Khullar

Published Feb 18, 2021

The first ever piece of malware software that reportedly targets Apple's new ARM-based chipset for Macs has been found. Read on!

A lot of people might argue that Mac is comparatively safer than Windows. While that is largely true, the past few years have seen a steady increase which has become a cause of concern. A new malware has now been spotted, which is said to be the first such malicious piece of software targeting Apple's new M1 processor.

Making its debut late last year on the new MacBook Pro, MacBook Air, and Mac Mini, the new ARM-based M1 chipset has been praised for offering excellent performance compared to Intel's similar chipsets. The transition to ARM allowed Apple to move away from Intel’s x86 architecture from 2005 and integrate certain security features right onto its processors. This architecture change has forced developers to make newer versions of their software to run natively on the M1 chipset rather than translate them through Apple’s Rosetta 2 emulator. Unsurprisingly, creators of malware have also adapted to this transition, according to a report by Wired.

Mac security researcher Patrick Wardle's report explains how malware can be easily adapted and recompiled to run natively on the ‌M1‌ chip. The first M1 malware is apparently a Safari adware extension called “GoSearch22,” originally made to run on Intel x86 chips. It is said to be a part of the "Pirrit" Mac adware family, one of the oldest and most active Mac adware families that constantly changes to evade detection.

The adware disguises itself as a legitimate Safari browser extension. Simultaneously, it collects user data and induces a large number of ads, including banners and popups that link to malicious websites flooded with more malware. It is noteworthy that GoSearch22 was signed with an Apple Developer ID in November 2020, but its certificate has been revoked ever since. Further, Wardle suggests that the malware for the ‌M1‌ is at quite an early stage, and the signatures used to detect threats from malware on the ‌M1‌ chip have not yet been observed for the most part. Thus, it is pointless to use antivirus scanners and defensive tools as most of them struggle to process the amended files correctly. GoSearch22 is not the only M1 malware, as researchers from the security company Red Canary suggest that there are more such malicious pieces of software currently being investigated.