Patrick Wardle, an independent macOS security researcher named, found GoSearch22.app, which is an instance of the ‘Pirrit’ adware.
(Subscribe to our Today’s Cache newsletter for a quick snapshot of top 5 tech stories. Click here to subscribe for free.)
A security researcher has found a malicious app created to hack Apple’s Silicon M1 macs.
Patrick Wardle, an independent macOS security researcher named, found GoSearch22.app, which is an instance of the ‘Pirrit’ adware. It is responsible for showing ads and collecting data from the users.
This variant of Pirrit appears to persist a launch agent and to install itself as a malicious Safari extension. Besides, the malicious code also attempts to detect if its running in virtual machine by looking for various virtual machine “artifacts”.
“Today we confirmed that malicious adversaries are indeed crafting multi-architecture applications, so that their code will natively run on M1 systems,” Patrick Wardle said in a blog post.
“The malicious GoSearch22 application may be the first example of such natively M1 compatible code.”
Wardle noted that such application are created for two main reasons. First, to show that malicious code continues to evolve as hardware and software under changes. There are a myriad benefits to natively distributing arm64 binaries, he added.
Secondly, analysis tools or anti-virus engines may struggle with arm64 binaries. He said that GoSearch 22 was signed with an Apple Developer ID but anti-virus systems which could spot the Intel version of Pirrit, failed to get hold of the Apple version.
It was also not known if the developer submitted it to Apple since the firm has revoked the developer certificate.
“What we do know is as this binary was detected in the wild (and submitted by a user via an Objective-See tool) …so whether it was notarized or not, macOS users were infected,” Wardle said.