The first piece of malware created to run on Apple’s new M1 processor was discovered in early 2021. GoSearch22 is an adware variant that can hijack browser search results and injects advertising content. It might show advertisements that can download and/or install unwanted applications by running certain scripts. Some experts are speculating that it may also have the ability to also steal data from victims, and it usually comes bundled in free online software packages. Currently, its installation is blocked on recent versions of macOS, but that could certainly change.
According to independent Mac security researcher Patrick Wardle, who studied its code, it wasn’t immediately clear that a second version had been created to run on the M1 processor.
In a blog post from February of 2021, Wardell said, “I figured it would make sense that (eventually) we’d see malware built to execute natively on Apple new M1 systems. Malware authors have now joined the ranks of developers (re)compiling their code to ARM64 to gain natively binary compatibility with Apple’s latest hardware.”
Text on Screen: Devices That are Susceptible to GoSearch22 Infection
The newest versions of the MacBook Air, MacBook Pro and Mac Mini, all utilize the M1 chip. The chip, which is based on the ARM64 architecture, is designed completely differently from Intel x86-64 processors used by previous Macs. GoSearch22 is similar to Pirrit adware, which was first spotted in 2016, and still poses a threat to Macs.
In an interview with Motherboard, Wardell added “It seems like fairly vanilla adware. Its main goal, objective, seems to be related to financial gain via ads, search results, etc.”
Although GoSearch22 is similar to most adware strains that are designed to collect browsing data, there is concern that it may steal data or even result in more malware being installed on Macs. However, there’s no proof yet that GoSearch22 is capable of this.
Unfortunately, GoSearch22 is also harder to spot. While many of the best Mac anti-malware programs can catch the regular version of GoSearch22, fewer are capable of detecting the M1-coded version. “Several industry-leading AV engines (who readily detected the x86_64 version) failed to flag the malicious arm64 binary,” according to Wardle’s Blog post.
As the underground world of cybercrime continues to focus on new Mac infections, 2021 may prove to be the year of the “Mac Hack.”