GoSearch22

GoSearch22 is a variant of Pirrit, an adware family that targets macOS systems. The GoSearch22 version displays unwanted advertisements as a core feature but uses code specific to the MacBook Air's M1 processor. Mac device users should update all security solutions for detecting and deleting GoSearch22 and avoid interacting with suspicious Safari browser advertisements that could be dangerous.

The Next Generation of Mac Adware

With its distribution spikes as long ago as 2016, Mac OS fans shouldn't have any surprise at the persistence of the Pirrit adware family. Although most Potentially Unwanted Programs (PUPs) target larger demographics (IE, Windows users), OS X and macOS users are another long-term revenue source. Years later, cyber-security industry researchers confirm that the development of Pirrit lives on in a drastically-recompiled form: GoSearch22.

This Week In Malware Episode 41 Part 2: Mac Users Beware: GoSearch22 Adware is the 1st Infection of Kind to Affect M1 Macs

GoSearch22's code is logically identical to that of Pirrit. The adware provides supposedly benign Web-searching services as a Safari extension. However, a from-the-ground-up recompiling of the project reworks it for native compatibility with M1 processors – the first of its kind. The result is that GoSearch22 is expressly targeting products with M1s, like the MacBook Air, and evades previously-reliable detection metrics from security products.

The GoSearch22 version also uses a developer ID for avoiding GateKeeper triggers, which would block any unsafe downloads. In essential functions, malware experts find it no different from Pirrit. The adware displays advertising in pop-ups and other formats, which may endanger the user's computer, and also tracks Web-surfing activities for profit.

An End to Searching for Safety in Safari

The significant effort put into GoSearch22's development suggests significant financial motivation on the threat actor's part. While malware experts don't classify GoSearch22 as being spyware, even a low-level threat like this one may display misleading or harmful content. Advertisements from GoSearch22's Pirrit family historically include drive-by-download attacks, schemes, and exploits, in addition to their 'safe' content.

Users should stay attentive to pop-ups, hijacked searches, and other symptoms of adware and unwanted browser extensions. Some standardized precautions like disabling JavaScript, blocking advertisements, and reviewing all browser add-ons periodically will limit the risks from this adware. Apple's revoking countermeasure invalidates GoSearch22's current digital certificate, but it remains capable of dodging outdated threat databases – including ones that are adequate for the Intel x86 hardware-based Pirrit versions.

Users with compromised M1 computers should close all browser windows and processes, disconnect from the Internet, and scan the system with a comprehensive and up-to-date anti-malware service. Alone, malware analysts don't categorize GoSearch22 as threatening significantly, so removing GoSearch22 with appropriate security tools immediately will eliminate the most potential for long-term consequences.

GoSearch22 is a fresh spin on an age-old tactic of making money with advertisements, whether the advertisers are well-meaning or toxic. The campaign is a useful memo that anyone who updates their computers also should look into updating security with it, or they'll pay in Web advertisements.