New Malicious Adware Exploits Apple M1 Chip

GoSearch22 is an Off-Shoot of macOS-Targeting Pirrit Adware
New Malicious Adware Exploits Apple M1 Chip
GoSearch22 is a malicious adware disguised as a Safari extension. Photo: ISMG

A security researcher has uncovered what is believed to be the first-ever malware variant that can be successfully executed in Apple's M1 chips, its latest central processor unit for Mac computers.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

In a blog post, independent macOS security researcher Patrick Wardle notes that the application called GoSearch22 is a malicious adware disguised as a Safari extension. He says the malware is capable of stealing browser data from its victims and acts as a persistent agent for further compromise.

Wardle adds that the malware was first uploaded to VirusTotal in December 2020 and says it is the first-ever variant that can run natively on Apple's M1 chips.

"Apple’s new M1 systems offer a myriad of benefits, and natively compiled arm64 code runs blazingly fast," Wardle says. "We highlighted the fact that malware authors have now joined the ranks of developers …(re)compiling their code to arm64 to gain natively binary compatibility with Apple’s latest hardware."

Malware Variant

Wardle says GoSearch22 is an off-shoot of Pirrit adware, which has been active since 2016. Pirrit is known to exclusively target macOS devices to steal data from victims and spy on people's web browsing. Adware is mostly spread as anti-virus software or as Apple support apps.

GoSearch22 disguises itself as a Safari extension, signed with Apple developer ID to evade detection. The malicious application collects the victim's browsing data such as IP addresses, addresses of visited web pages, entered search queries, geolocations and other browsing-related information.

There are two versions of the malware - the arm64 version and the x86_64 version - however, due to the highly obfuscated nature of the malware code, the variants are not easily detectable, says Wardle.

He adds that the certificate of the malicious app has been revoked by Apple, noting that it is currently unavailable. However, details of the infection remain unclear. Apple did not immediately respond to a request for comment.

James McQuiggan, security awareness advocate at KnowBe4, says macOS devices are increasingly being targeted, as many users believe that Mac devices are not as vulnerable as Windows. "Cybercriminals recognize that the Mac systems are being used more and more by people, especially now with the M1 systems at a lower cost than the Intel-based chips. However, the malware was adware, which mainly annoys the user with pop-up ads, browser redirects for searches and is removable without reinstalling the operating system, which is the recourse for a Windows malware attack."

Pirrit Campaigns

Pirrit adware has infected thousands of macOS devices since it has been active. A 2017 report by Amit Serper, a security researcher at Cybereason, notes the adware was developed by an Israeli tech firm called TargetingEdge.

The researcher found that there were multiple Pirrit versions capable of installing rogue software or installing a proxy server on the victim’s machine to hijack the browser. The researcher notes the later versions used Apple's scripting/automation language AppleScript to spy on its victims and run with root privileges.

A 2020 report by security firm ESET found that adware was the most common attack vector for hackers to target Mac devices. The report also noted 4.9% of the threats to Mac devices in the second quarter of 2020 were caused by Pirrit adware.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.