Security Advisory on Apple Chips Malware

Apple iOS
Advisory ID:
February 23, 2021


A new malware has been discovered to be crafting multi-architecture applications so that their code will run natively on Apple’s M1 Silicon chips. This is an attempt by malicious actors to target the company’s latest generation of Macs powered by its own processors. The malware is in the form of a Safari adware extension originally written to run on Intel x86 chips. The malicious extension, called "GoSearch22," is a well-known member of the "Pirrit" Mac adware family.

Description & Consequence

Pirrit is a persistent Mac adware family notorious for pushing intrusive and deceptive advertisements to users that, when clicked, downloads and installs unwanted apps that come with information gathering features. Pirrit is one of the oldest and most active Mac adware families, and has been known to constantly change in an attempt to evade detection, so it is unsurprising that it has already begun adapting for the ‌M1.

Furthermore, the GoSearch22 adware presents itself as a legitimate Safari browser extension, but collects user data and serves a large number of ads such as banners and popups, including some that link to malicious websites to proliferate more malware. The adware was signed with an Apple Developer ID in November 2020 to further conceal its malicious content, but it has since been revoked.

Certain defensive tools like antivirus engines struggle to process this 'new' binary file format. They can easily detect the Intel-x86 version, but failed to detect the ARM-M1 version, even though the code is logically identical.

Successful exploitation could result in the following:

  • Unwanted Ads Display
  • Collection of sensitive users data
  • Remote code execution


1. Avoid clicking on deceptive advertisement as analysis tools and anti-virus engines fails to detect the malware when infected.

2. Apple users are recommended to regularly update their operating system.




Related Articles