Longtime Mac security researcher Patrick Wardle published findings on Wednesday about a Safari adware extension that was originally written to run on Intel x86 chips, but has now been redeveloped specifically for M1. The malicious extension, GoSearch22, is a member of the notorious Pirrit Mac adware family.“This shows that malware authors are evolving and adapting to keep up with Apple's latest hardware and software,” says Wardle, who also develops open source Mac security tools. “As far as I know, this is the first time we've seen this.”Researchers from the security firm Red Canary tell WIRED that they are also investigating an example of native M1 malware that appears distinct from Wardle's finding.
Given that Apple's ARM chips are the future of Mac processors , it was inevitable that malware authors would eventually start writing code just for them. Someone uploaded the tailored adware to the antivirus testing platform VirusTotal at the end of December, a little over a month after the M1 laptops shipped. Many researchers and organizations routinely upload malware samples to VirusTotal automatically or as a matter of course. The adware sample Wardle found there takes a standard tactic of posing as a legitimate Safari browser extension and then collecting user data and serving illicit ads like banners and popups, including those that link to other malicious sites.
Apple declined to comment about the finding. Wardle says the adware was signed with an Apple developer ID, a paid account that allows Apple to keep track of all Mac and iOS developers, on November 23. The company has since revoked the GoSearch22 certificate.Malwarebytes Mac security researcher Thomas Reed agrees with Wardle's assessment that the adware was not very novel in itself. But he adds that it's important for security researchers to be aware that native M1 malware is not just coming, but already here.
“It definitely was inevitable—compiling for M1 can be as easy as flicking a switch in the project settings," Reed says. "And honestly, I’m not at all surprised by the fact that it happened in Pirrit first. That’s one of the most active Mac adware families, and one of the oldest, and they’re constantly changing to evade detection.” The malicious Safari extension does have some anti-analysis features, including logic to try to avoid debugging tools. But Wardle found that while VirusTotal's suite of antivirus scanners easily spot the x86-based version of the adware as malicious, there was a 15 percent drop in detection of the M1 version.
“Certain defensive tools like antivirus engines struggle to process this 'new' binary file format,” Wardle says. “They can easily detect the Intel-x86 version, but failed to detect the ARM-M1 version, even though the code is logically identical.”