Users are prompted to copy and paste a URL back into their browser, which triggers another redirect to a malicious download page.
- On macOS, users are directed to a terminal command that downloads and runs a malicious shell script.
- On Android and iOS, the malware has evolved into a drive-by download, meaning that simply visiting the page triggers a file download—no tapping, copying, or installing required.
- The download is a .TAR archive containing malware already flagged by several antivirus programs.
“This is a fascinating and evolving attack that demonstrates how attackers are expanding their reach,” c/side noted.
“What started as a Windows-specific ClickFix campaign is now targeting macOS, Android, and iOS, significantly expanding the scale of the operation.”
This evolution has been verified by additional reports from Fox News, Krebs on Security, and TechRadar, each of which documents the increasing complexity and platform reach of the malware.
How to Combat a ClickFix Campaign
With ClickFix’s reach expanding and its tactics becoming more seamless, proactive defense is essential. Here’s how users can protect themselves:
- Install reputable antivirus software on all devices, including smartphones and Macs.
- Keep all operating systems and browsers updated to patch known vulnerabilities.
- Avoid copying and pasting unfamiliar URLs, especially from suspicious or redirect-heavy sites.
- Use browser security plugins that block known malicious domains and scripts.
- Regularly back up data to minimize damage in case of infection.
- Be cautious of websites that redirect multiple times or prompt you to download files unexpectedly.
“Drive-by attacks are especially dangerous because they require no interaction,” the researchers emphasized.
