Apple’s new ARM-based M1 processors, released for the MacBook Pro, MacBook Air, and Mac Mini in November. Apple’s M1 chip is a departure from the Intel x86 architecture Apple has used since 2005, and it gives Apple the opportunity to bake specific Mac security protections and features directly into its processors. That transition has required legitimate developers to work on building versions of their software that run “natively” on M1 for optimal performance rather than needing to be translated through an Apple emulator called Rosetta 2. Not to be outdone, malware authors have started making the transition too.
Longtime Mac security researcher Patrick Wardle published findings on Wednesday about a Safari adware extension that was originally written to run on Intel x86 chips, but has now been redeveloped specifically for M1. The malicious extension, GoSearch22, is a member of the notorious Pirrit Mac adware family.
Wardle wrote, “confirms malware/adware authors are indeed working to ensure their malicious creations are natively compatible with Apple’s latest hardware.”
Wardle discovered the malware on Alphabet-owned antivirus testing platform VirusTotal, where someone uploaded it in December. The researcher found that, although the platform’s antivirus scanners flagged the x86 version of the adware as malicious, 15 percent of them didn’t suspect the M1 version of GoSearch22 was malware. That suggests not all antivirus software is fully ready to root out malware designed for M1-based systems. Another researcher, Thomas Reed, said that compiling software for “M1 can be as easy as flicking a switch in the project settings,” so it seems hackers might not have to do much to adapt their malware for Apple’s latest processor.
GoSearch22 was signed with an Apple developer ID in November, according to Wardle. However, Apple has revoked the adware’s certificate, which will make it difficult for users to install it.