Patrick Wardle, one of the world’s leading experts on security of Apple products, discovered a modification of the Pirrit malware designed to run on the Apple M1 chips.
Apple’s M1 chips were unveiled in November 2020, and since then, many developers have prepared new versions of their apps to provide better performance and compatibility.
Worl writes that now the malware authors are taking similar steps, adapting their malware for the Apple M1.
“Apple’s new M1 systems offer a myriad of benefits, and natively compiled arm64 code runs blazingly fast. Today, we highlighted the fact that malware authors have now joined the ranks of developers …(re)compiling their code to arm64 to gain natively binary compatibility with Apple’s latest hardware”, — Patrick Wardle says.
In this article, the expert describes in detail the GoSearch22 adware that is masked as an extension for Safari. It collects data about the sites visited by the user, and also displays a huge number of advertisements, including banners and pop-ups that link to suspicious sites that distribute malware. This “product” was originally written to run on Intel x86, but has since been ported to ARM-based M1 chips.
While M1-based devices can run x86-based software (via Rosetta), native support for M1 not only means efficiency gains, but also gives attackers a better chance of going undetected.
According to a sample uploaded to VirusTotal on December 27, 2020, the fraudulent extension is a variation of the Pirrit adware malware that was first detected back in 2016. The new modification, apparently, appeared in November last year.
“We highlighted a Pirrit variant (GoSearch22.app) that was first discovered and submitted thanks to Objective-See’s free, open-source tools!”, — Wardle writes.
The researcher notes that in November 2020, the extension was signed with the Apple Developer ID of unknown hongsheng_yan in order to hide the malicious content. Since then, the signature has been revoked, which means that attackers will have to re-sign the malware with a different certificate in order to continue its work.
As I also reported, Matryosh malware attacks Android devices via ADB.