Security researchers have observed a notable evolution in ClickFix attacks, which have transitioned from a Windows-centric threat to a more expansive menace that now targets macOS, iOS, and Android devices. This shift raises significant concerns, particularly for mobile users, as the attack has morphed into a drive-by assault.
Understanding the ClickFix Evolution
According to a recent analysis by c/side, the new iteration of ClickFix begins with a compromised website. Cybercriminals inject JavaScript code that redirects users to a new browser tab upon clicking specific elements on the page. This tab presents what appears to be a legitimate URL shortener, prompting users to copy and paste a link into their browser. However, this seemingly innocuous action triggers yet another redirect, leading to a download page that serves malware.
On macOS, the attack culminates in a terminal command that fetches and executes a malicious shell script, which has already been flagged by multiple antivirus programs. The situation is even more alarming on Android and iOS devices, where the attack can occur without any user interaction.
“When we tested this on Android and iOS, we expected a ClickFix variant. But instead, we encountered a drive-by attack,” the researchers noted. This type of cyberattack allows malicious code to be executed or downloaded onto a device simply by visiting a compromised webpage, eliminating the need for any clicks or installations.
In this scenario, the compromised site downloads a .TAR archive file containing malware, which has also been identified by at least five antivirus programs. “This is a fascinating and evolving attack that demonstrates how attackers are expanding their reach,” c/side explained. “What started as a Windows-specific ClickFix campaign is now targeting macOS, Android, and iOS, significantly expanding the scale of the operation.”
