Beware: Typosquatting campaign delivers Windows, Android malware

A massive typosquatting campaign was recently discovered using various rogue domains to infect the Windows and Android devices of unsuspecting users with malware.

Typosquatting, also known as URL hijacking, is a form of cyberattack in which attackers trick unsuspecting users into visiting a fraudulent website by registering a domain name similar to that used by genuine brands. Typically, users end up on these malicious websites when they mistype the domain of the website they want to visit. You can also be lured to these websites via phishing emails, SMS messages, direct messages, and malicious posts on social media and forums.

In the typosquatting campaign recently discovered by BleepingComputer, the domains used by the cybercriminals feature a single letter swap or an additional character, making them look genuine. Their websites also look very similar to the authentic ones, making it difficult for users to identify that they are on a fraudulent website.

Smart fraudulent domains

Some of the malicious domains impersonate popular Android app stores such as Google Play, APKCombo, and APKPure, as well as PayPal, Snapchat, VidMate, and TikTok download portals. For example, the cyber criminals used “paltpal-apk[.]com” for PayPal’s Android app download link and “tlktok-apk[.]link” for TikTok. Downloading files from these links will infect an Android device with a banking Trojan.

However, the typosquatting campaign has also been found spreading Windows-based malware. According to BleepingComputer, there are over 90 websites designed to impersonate over 27 popular brands. These websites not only infect devices with malware, but also steal cryptocurrency recovery keys.

The fake Visual Studio Code website (left) and the authentic Visual Studio Code website (right) | click to enlarge

A notable example is the domain for Visual Studio Code. The deceptive website uses the domain “codevisualstudio[.]org” which is very similar to the authentic domain “”. When a visitor downloads the bogus software on the site, their device becomes infected with a spyware program.

Another is “ethersmine[.]com”, a fake version of the “” domain. When a user connects their Ethereum wallet to the former, cyber criminals can easily steal their wallet information.

To reduce the risk of falling for typosquatting attacks, you should always be careful when typing a website into your web browser’s address bar. Also use antivirus software to check if a website is safe to visit and prevent the site from downloading malicious code. Finally, use two-factor authentication to ensure that even if an attacker obtains your username and password, they cannot access your account.

Source: BleepingComputer