Devious new ClickFix malware variant targets macOS, Android, and iOS using browser-based redirections

Security researchers found ClickFix attacks evolving to target other operating systems
On Android and iOS, the attack is particularly worrisome, as it transforms into a drive-by attack
The malware is already being flagged by antivirus programs

ClickFix, an infamous hacking technique that tricks people into running malware thinking they’re fixing a problem on their computer, has evolved, experts have warned.

New research from c/side has revealed what used to be a Windows-only attack method is now capable of targeting macOS, iOS and Android devices, as well.

In a blog post analyzing the evolution, the researchers said the new attack starts with a compromised website. The threat actors would inject JavaScript code which redirected users to a new browser tab when they clicked on certain elements on the page. The new tab then displays a page that looks like a legitimate URL shortener, with a message to copy and paste a link into the browser – and doing so triggers yet another redirect, this time to a download page.

Fetching the malicious payload

Here is where the technique diverges, depending on the operating system of the victim.

On macOS, the attack leads to a terminal command that fetches and executes a malicious shell script, already flagged by multiple antivirus programs.

On Android and iOS, things are even worse, since the attack no longer requires any user interaction.

“When we tested this on Android and iOS, we expected a ClickFix variant. But instead, we encountered a drive-by attack,” the researchers explained.

“A drive-by attack is a type of cyberattack where malicious code is executed or downloaded onto a device simply by visiting a compromised or malicious webpage. No clicks, installs, or interaction required.”

In this case, the site downloads a .TAR archive file, holding malware. This one, too, was flagged by at least five antivirus programs already.

“This is a fascinating and evolving attack that demonstrates how attackers are expanding their reach,” c/side explained. “What started as a Windows-specific ClickFix campaign is now targeting macOS, Android, and iOS, significantly expanding the scale of the operation.”