Last year, Apple released Macbooks and Mac Minis powered by a new ARM CPU – the Apple M1. A few months later, malware authors were already setting up the new hardware directly. Wired interviewed Mac security researcher Patrick Wardle, who discovered an M1 version of the long-running Pirrit advertising family targeted at Mac.
Apple M1, malware, and you
ARM CPUs have a very different instruction set architecture (ISA) than traditional PCs and x86 computers, which means that software designed for one ISA cannot work on the other without assistance. M1 Macs can use x86 software with a translation layer called Rosetta, but native M1 applications run much faster, of course – as we can see by comparing the translated Google Chrome with Rosetta to the M1 native version.
In terms of malware, Apple users have long benefited from the minority status of their platform. Ten years ago, MacOS’s market share in the operating system was only 6.5 percent, and few malware authors have bothered to target it at all – but today the market share is approaching 20 percent. The increase in popularity has brought together providers of malware; the MacOS malware ecosystem is still small and relatively rough compared to the one plaguing Windows, but it is very real.
The incentive for malware authors to target M1 directly is not huge – most existing MacOS malware will work just fine on an M1-equipped Mac, via Rosetta 2. Disaster writers also usually dislike performance – your CPU cycle is not ‘it cost them nothing after all. But there are still some benefits to targeting the new hardware directly – the more effective malware code is, the less likely the owners of the computers that infect it will be and / or care enough to eradicate it. .
Find M1 native malware
Wardle used a research account at VirusTotal to search for cases of M1 malware. The actual search he used was’ type: macho tag: arm tag: 64bits tag: multi-arch tag: signed positive: 2 + ‘- translated to’ signed Apple multi-architecture-executable programs that 64- bit contains ARM code and is marked by at least two antivirus engines. “
Unfortunately, this search mostly yields iOS-targeted malware with support for more than one ARM architecture, but it has reduced things enough so that Wardle could weed out the results manually. Eventually he found a Safari extension called GoSearch22. The application bundle Info.plist file confirms that it was indeed a MacOS (not iOS) application.
The app is signed with Apple Developer ID hongsheng_yan in November 2020 – but we do not know if Apple reported it, as Apple has since revoked its certificate. With the revocation of the certificate, this version of GoSearch22 will no longer work on MacOS – unless and until the authors succeed in signing it at least with another developer key.
We can also assume that this malware app infected true macOS users in the wild before revoking the certificate, otherwise it is highly unlikely that it would have been submitted by VirusTotal in the first place.
What does GoSearch22 do?
The M1 indigenous malware, Wardle, found 24 separate engines for detecting malware. Seventeen of the 24 positives were ‘generic’ – but the remaining seven matched signatures for the Pirrit advertising family.
Pirrit is an extremely long malware family that started on Windows but was eventually transferred to macOS. Its presence on macOS was first published by researcher Amit Serper in 2016, with a notable follow-up to Serper in 2017.
If you are interested in where all the corpses are buried – for the Pirrit code itself and for the TargetingEdge business that multiplies it – I recommend Serper’s very detailed and informative entries. But if you’re just looking for the short version: Pirrit variants show unwanted ads, and it’s straight nasty about it.
Once a user has installed any shiny Trojan, the relevant Pirrit variant is wrapped – which could be a fake video player, PDF reader or seemingly benign Safari extension – the user’s default search engine is changed to something nasty and unhelpful, their web browser usage is tracked and unwanted ads are visited on their visits.
It’s all bad enough on its own; but Pirrit also uses the full set of malware tricks to stay installed, avoid detection, and make life generally difficult for anyone trying to “interfere” with it. Pirrit seeks and removes applications and browser extensions that may interfere with it, hides it from attempts to find it by staying out of the application directory, accessing the roots of the Macs on which it is installed, and disguising the code in an attempt to do so making it more difficult to detect and analyze.