“Watching malware make the transition from Intel to M1 rapidly is concerning because security tools aren’t ready to deal with it."
Apple’s shift towards its own in-house M1 processors has meant faster performance for consumers and some extra work for developers. While Apple’s Rosetta creates backward compatibility for the M1 chip, many developers are working to get their software to run natively — and they’re not alone.
Wardle’s malware analysis covers an adware extension for Safari that previously ran on Intel chips. The malicious software isn’t a significant threat, but it shows that security measures will need to be updated much faster.
What’s the malware doing? — The extension Wardle assessed is called GoSearch22, a part of the well-known Pirrit Mac adware arsenal. It was added to an antivirus testing portal in December, shortly after the first M1 Macs were released.
GoSearch22 runs a pretty standard gambit, disguising itself as a genuine extension while gobbling up user data and serving intrusive ads that often link to even more nefarious corners of the internet.
What’s notable about this malware is that Wardle found an Apple developer ID dated November 23. This paid account is meant to help Apple monitor and track its developers, and the company has since removed the extension’s certificate.
What’s the big deal? — The malware has some features to resist detection, but an Intel x86 version was easy to find. Detection dropped by 15 percent for his M1 version, which Wardle suggests is due to the struggles of updating security tools to handle its binary format.
“The security community doesn’t have signatures to detect these threats yet, since they haven’t been observed,” Tony Lambert, a Red Canary intelligence analyst, told Wired.
Apple is still going full-steam ahead on its own microprocessors, so security programs need to catch up before the technology — or bad actors — laps them.