Hackers Are Starting to Code Malware Specifically for Apple’s M1 Computers

Apple-mac-m1

Image: Daniel Acker/Bloomberg via Getty Images

Last year, Apple launched its first computers powered by the company’s own hardware, prompting many developers to code apps specifically for the new M1 processors. Now hackers are following suit, too.

Patrick Wardle, an independent security researcher who develops free security tools for Macs, said he has found what may very well be the first example of a malicious application developed natively for the new ARM M1 processors. In a blog post published on Wednesday, Wardle analyzed an application that appears to be a new version of an infamous adware for MacOS. 

Advertisement

The adware installs itself as a malicious Safari extension and is an updated version of an app that calls itself GoSearch22, according to Wardle. The adware collects data from the browser and displays pop-ups, coupons, and banners for ads, according to security website PC Risk

“It seems like fairly vanilla adware,” Wardle told Motherboard in an online chat. “Its main goal, objective, seems to be related to financial gain via ads, search results, etc.”

Wardle, however, warned that it’s possible that the developers of GoSearch22 could update in the future to include even more invasive and malicious functions.

According to VirusTotal, an online malware repository that shows whether antivirus software detects certain files as malicious, GoSearch22 is a new updated version of an infamous adware known as Pirrit. In 2016 and 2017, cybersecurity researcher Amit Serper published several reports on Pirrit noting that while it was not a “groundbreaking threat, it gives attackers persistence over your machine and is extremely hard for the average user to remove.”

Do you have information about this piece of malware or other Mac malware? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wire/Wickr @lorenzofb, or email lorenzofb@vice.com

Serper said in an online chat that this new adware found by Wardle looks “very familiar” to the Pirrit adware he analyzed years ago. 

In 2017, Serper revealed that Pirrit was developed by an ad tech company called TargetingEdge. At the time, the company sent Serper cease and desist letters in an attempt to stop him from publishing his research, claiming they had nothing to do with Pirrit and that their software is not malware. 

Advertisement

Wardle said he did not find a link between this new Pirrit version and TargetingEdge, but that may be because he only looked at the adware “from a technical point of view.”

TargetingEdge did not respond to a request for comment. 

Wardle said that this adware was uploaded to VirusTotal by a user who found it in the wild, likely thanks to KnockKnock, a tool developed by Wardle to detect malware on MacOS.  

Interestingly, Wardle noticed that not all antivirus engines seem to be ready to detect malware made for the M1 processors. In a simple experiment, Wardle separated the old version of Pirrit from the new one, uploaded them to VirusTotal and saw that around 15 percent of antivirus engines did not detect the new version as malware.  

“This should be seen as somewhat of a wakeup call to security tools / [antivirus] engines to make sure they are tested against arm64,” Wardle said.

The good news is that Apple has revoked the developer certificate used by Pirrit’s makers, which should prevent users from installing it. 

Apple did not respond to a request for comment. 

In a way, this discovery shows that malware makers are just like any other developers, they have to keep up with newer technologies. 

“The adware folks have demonstrated the most adaptability on macOS. If anyone were going to be first, I would have expected it to be the folks behind Pirrit, Genieo, or Bundlore,” said Thomas Reed, a cybersecurity researcher who works for Malwarebytes, referring to other types of adware. “They’re the most active, and most apt to use new techniques.”

Subscribe to our cybersecurity podcast CYBER, here.