Now that Apple has officially begun the transition to Apple Silicon, so has the malware.
Security researcher Patrick Wardle published a Blog detailing that he had found a malicious program called GoSearch22, a Safari browser extension that has been reworked for Apple’s M1 processor. (The extension is a variant of the Pirrit family of adware, which is notorious on Mac.) Meanwhile, a new report from Cabling It also cites other security researchers who have found instances other than native M1 malware from Wardle’s findings.
The GoSearch22 malware was signed with an Apple Developer ID on November 23. 2020: shortly after the first M1 laptops appeared unveiled for the first time. Having a developer ID means that a user downloading the malware will not be activated Gatekeeper on macOS, which notifies users when an application they are about to download may not be secure. Developers can take the additional step of submitting applications to Apple to be notarized for further confirmation. However, Wardle notes in his writing that it is unclear if Apple ever notified the code, as GoSearch22’s certificate has since been revoked. Unfortunately, he also writes that since this malware was detected in the wild, regardless of whether Apple certified it, “macOS users were infected.”
The program itself appears to behave similarly to your standard adware. For example, if you are infected with it, you are subject to seeing things like coupons, banners, pop-up ads, surveys, and other types of ads promoting suspicious websites and downloads. These types of malware also tend to collect your browsing data such as IP addresses, sites you have visited, search queries, etc.
This is to be expected, and no, if you have a computer with M1, you shouldn’t panic just yet. To back it up a bit, the thing about the M1 processor is that the chip architecture is based on ARM, whereas previously Apple had been based on the Intel x86 architecture. By making the switch, Apple promised super-fast performance and built-in security. And while we found that the M1 chips produced impressive results in our benchmark tests, it is also clear that the chip is slowed down by limited software compatibility. Most of the applications that exist at this time were not developed to run natively on the M1 and require Apple’s Rosetta 2, which automatically converts software written for Intel chips into something the M1 can understand. To get the best performance promised by Apple, you’ll want the software to be optimized for the M1 chip. This is why developers are working on creating native M1 versions of their software. Naturally, malware developers also want their malware to perform at full capacity on M1 devices.
The good news is that security researchers and vendors are also working to develop detection methods for M1 malware. According to CablingHowever, you should expect some delay in detection rates when trying to find new types of malware. Given that unavoidable delay, it is concerning that malware authors have been able to move quickly from Intel to Apple Silicon. So far, the native instances of M1 malware that have been found are not significant threats. But! The M1 has only been around for a few months, and there are likely more types of malicious variants on the way. Sure, eventually, security providers will catch up and update screening tools to keep consumers safe. But in the meantime, if you have an M1-powered laptop, it’s a good idea to double down on your safety hygiene and think twice before clicking.