Now that Apple has officially begun the transition to Apple Silicon, so has malware.
Security researcher Patrick Wardle published a blog detailing that he’d found a malicious program dubbed GoSearch22, a Safari browser extension that’s been reworked for Apple’s M1 processor. (The extension is a variant of the Pirrit adware family, which is notorious on Macs.) Meanwhile, a new report from Wired also quotes other security researchers as finding other, distinct instances of native M1 malware from Wardle’s findings.
The GoSearch22 malware was signed with an Apple developer ID on Nov. 23, 2020—not long after the first M1 laptops were first unveiled. Having a developer ID means a user downloading the malware wouldn’t trigger Gatekeeper on macOS, which notifies users when an application they’re about to download may not be safe. Developers can take the extra step of submitting apps to Apple to be notarized for extra confirmation. However, Wardle notes in his writeup that it’s unclear whether Apple ever notarized the code, as the certificate for GoSearch22 has since been revoked. Unfortunately, he also writes that since this malware was detected in the wild, regardless of whether Apple notarized it, “macOS users were infected.”
Source: The M1 Malware Has Arrived