Cybersecurity expert detected malware for Apple M1 chips

Patrick Wardle, one of the world’s leading experts on security of Apple products, discovered a modification of the Pirrit malware designed to run on the Apple M1 chips.

Apple’s M1 chips were unveiled in November 2020, and since then, many developers have prepared new versions of their apps to provide better performance and compatibility.

Worl writes that now the malware authors are taking similar steps, adapting their malware for the Apple M1.

“Apple’s new M1 systems offer a myriad of benefits, and natively compiled arm64 code runs blazingly fast. Today, we highlighted the fact that malware authors have now joined the ranks of developers …(re)compiling their code to arm64 to gain natively binary compatibility with Apple’s latest hardware”, — Patrick Wardle says.

In this article, the expert describes in detail the GoSearch22 adware that is masked as an extension for Safari. It collects data about the sites visited by the user, and also displays a huge number of advertisements, including banners and pop-ups that link to suspicious sites that distribute malware. This “product” was originally written to run on Intel x86, but has since been ported to ARM-based M1 chips.

While M1-based devices can run x86-based software (via Rosetta), native support for M1 not only means efficiency gains, but also gives attackers a better chance of going undetected.

According to a sample uploaded to VirusTotal on December 27, 2020, the fraudulent extension is a variation of the Pirrit adware malware that was first detected back in 2016. The new modification, apparently, appeared in November last year.

“We highlighted a Pirrit variant ( that was first discovered and submitted thanks to Objective-See’s free, open-source tools!”, — Wardle writes.

The researcher notes that in November 2020, the extension was signed with the Apple Developer ID of unknown hongsheng_yan in order to hide the malicious content. Since then, the signature has been revoked, which means that attackers will have to re-sign the malware with a different certificate in order to continue its work.

As I also reported, Matryosh malware attacks Android devices via ADB.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published.


Back to top button