Hackers already targeting M1 Macs with malware; Gain root access
Security researcher Patrick Wardle has found a malicious application called GoSearch22, which is specifically designed for Apple's products running the new M1 chips. In a blog post, Wardle wrote that the malicious adware disguises itself as a Safari browser extension. It appears to be based on well-known Mac adware Pirrit. The malware collects user data and spews advertisements across the screen.
GoSearch22 adware gains root access to macOS, tracks web activity
Like most Pirrit variants, GoSearch22 is bundled as a trojan. Once installed, it changes the user's default search engine, tracks web browsing activity, and infests webpages with unwanted ads. Pirrit is hard to remove from infected machines. It uninstalls applications and browser extensions that impede its function and hides itself from the Applications directory. It does so by securing root access to macOS.
GoSearch22 targeted Macs in the wild, Apple revoked developer's certification
Wardle used a researcher account on VirusTotal to find instances of malware which natively run on M1 Macs. Since VirusTotal's database is updated using inputs from real users, it is clear the malware did affect M1 Macs in the wild. Apple has since revoked the GoSearch22 developer's certification. Notably, applications can't run on macOS after their developer's certification is revoked.
Apple's increasing market share attracts malware authors to macOS
macOS had a 6.5 percent market share a decade ago, which is also why it wasn't a primary target for malware authors. However, with its market share increasing to 17 percent, the malware ecosystem has taken an interest in it. Wardle says the GoSearch22 malware on macOS is still "fairly vanilla," but it could be updated to include more invasive and malicious features.
Antivirus engines not equipped to detect threats to M1 Macs
In 2016 and 2017, cybersecurity researcher Amit Serper had published reports explaining the working of Pirrit and Pirrit-based malware. The report noted that while it is not a "groundbreaking threat," Pirrit is extremely difficult for the average user to remove. Wardle points out that few antivirus engines are equipped to identify threats to M1-based computers, making them more vulnerable for now.
