Security researcher Patrick Wardle published a blog post detailing the new Apple M1 malware. It’s called GoSearch22, and it’s a Safari browser extension that’s been reworked for the new Apple Silicon chip. The malware itself isn’t exactly new, as it’s a variant of the Pirrit adware family that’s already infected prior Macs.
But the strange thing about this new variant is that it was signed with an Apple developer ID on 23 November 2020. That’s barely two weeks after the Apple M1 was officially unveiled. And being signed with a developer ID means that it won’t trigger macOS Gatekeeper. The certificate for it has since been revoked, but it may have been too late. Wardle claims that macOS users were already infected.
In the blog, Wardle also notes that malware for ARM64 chips, which the Apple M1 is, has about a 15% lower detection rate compared to malware written for Intel’s x86 architecture. While this is not entirely unexpected, it does show that those making malware are having an easier time adapting to the new platform than those protecting users from it.