Security & Infrastructure Tools
Telegram Mini Apps Abused for Crypto Scams and Android Malware Delivery
Cybersecurity researchers have uncovered FEMITBOT, a Telegram-based fraud operation that uses Mini Apps and bots to run fake crypto platforms, impersonate brands (Apple, NVIDIA, Disney, eBay, IBM, Moon Pay, YouKu, and more), and deliver Android malware. The campaigns share a common backend, allow rapid branding/language changes, and use tracking pixels to optimize performance. Victims encounter fake dashboards and urgency tactics, then are urged to deposit funds or complete referrals; some Mini Apps push Android APKs masquerading as legitimate apps via the in-app browser. Users are advised to avoid crypto-promoting Telegram bots and sideloading APKs.
TechLogHub
May 3, 2026
0 views
TELEGRAM MINI APPS ABUSED FOR CRYPTO SCAMS, ANDROID MALWARE DELIVERY
Overview
- Cybersecurity researchers have uncovered a large-scale fraud operation that leverages Telegram’s Mini App feature to run crypto scams, impersonate well-known brands, and deliver Android malware.
- The operation centers on a platform named FEMITBOT, built on a shared backend and accessed through Telegram bots and embedded Mini Apps that run inside Telegram’s built-in browser.
- The abuse turns Telegram into a self-contained app ecosystem where users encounter phishing sites, fake dashboards, and urgency-driven prompts without leaving the messaging app.
How FEMITBOT Works
- The core infrastructure uses a common API response that includes a message like “Welcome to join the FEMITBOT platform,” signaling the same underlying system supports multiple campaigns.
- Telegram bots initiate the experience by directing users to a Mini App that loads within Telegram’s WebView, making the phishing page feel native to the app.
- Once inside, users are presented with dashboards showing fake balances or earnings, often accompanied by countdown timers or time-limited offers to create urgency.
- Attempts to withdraw funds trigger prompts to deposit money or complete referral tasks, a classic pattern of investment and advance-fee scams.
Brand Impersonation and Campaign Variants
- Threat actors impersonate a wide range of trusted brands to boost credibility and engagement, while reusing the same backend across campaigns.
- Impersonated brands include Apple, Coca-Cola, Disney, eBay, IBM, Moon Pay, NVIDIA, and YouKu, among others.
- The same infrastructure is repurposed with different branding, languages, and themes to target diverse audiences.
Technical and Infrastructure Details
- The campaigns rely on a shared backend where numerous phishing domains pull from the same API responses, enabling rapid deployment of new look-and-feel while retaining the same core functionality.
- The attack chain starts with a Telegram bot; upon user interaction and “Start,” the Mini App launches a phishing experience directly within Telegram’s environment.
- Tracking scripts, including Meta and TikTok pixels, are embedded to monitor user activity, measure conversions, and optimize campaign performance.
Malware Delivery Through Android APKs
- Some FEMITBOT Mini Apps attempt to push malware by distributing Android APKs that masquerade as legitimate software tied to the impersonated brands.
- APKs are promoted within the in-app browser or linked through the Mini App’s flow, prompting users to download files or visit pages that lead to app installations.
- Filenames for these APKs are crafted to resemble real applications or appear as random-looking names to avoid immediate suspicion.
- The APKs are hosted on the same domain as the API, ensuring TLS certificate validity and avoiding browser mixed-content warnings, which helps maintain a perception of legitimacy.
Exact Malware Targets in Campaigns
- APKs linked to the campaigns have impersonated brands such as the BBC, NVIDIA, CineTV, Coreweave, and Claro, illustrating a strategy of leveraging recognizable names to lower user skepticism.
- Delivery methods include requesting users to download APKs, open links within the in-app browser, or install progressive web apps that mimic legitimate software.
User Experience and Trust Erosion
- The Mini Apps are designed to blend into Telegram’s experience, presenting as legitimate tools or services rather than external downloads.
- Phishing dashboards simulate real financial interfaces, including balances and earnings, driving engagement through perceived opportunity.
- Time-Pressured offers and limited-time deals increase the likelihood of user actions like deposits or referrals, accelerating scam progression.
Operational Advantages of a Shared Backend
- A single backend supports multiple campaigns, enabling rapid branding swaps, language localization, and theme changes without rebuilding the core system.
- This approach allows attackers to scale operations and tailor campaigns to specific demographics or markets with minimal overhead.
Defensive Signals and Red Flags
- Interacting with Telegram bots that promote crypto investments or urge you to launch a Mini App should raise suspicion, especially if deposits or app downloads are requested.
- The presence of in-app dashboards showing suspicious earnings, coupled with countdown timers and urgent withdrawal prompts, is a common scam indicator.
- APK prompts that request installation outside official app stores, or downloads from non-verified domains, are high-risk signals.
- A consistent pattern of impersonating well-known brands, combined with domain names and API responses that feel generic or reused, can indicate a centralized fraud operation.
Context and Related Developments
- The FEMITBOT campaign adds to a broader landscape of crypto and malware scams seen on messaging platforms, where fraudsters leverage trust in familiar brands and the familiarity of app-like interfaces to lower user skepticism.
- Tracking and analytics tools embedded in these campaigns reflect a push toward optimized conversion, mirroring legitimate marketing techniques to improve scam efficacy.
What This Means in Practice
- Telegram Mini Apps, while legitimate technology, can be exploited to deliver convincing phishing experiences and to distribute malware when misused by coordinated threat actors.
- Users should exercise heightened skepticism when bots promote financial activities, crypto investments, or require in-app actions that deviate from normal usage patterns.
- The convergence of phishing, brand impersonation, and targeted malware delivery demonstrates the evolving sophistication of abuse in modern messaging environments.
Concluding Observations
- FEMITBOT illustrates how an integrated backend and embedded Mini Apps can be repurposed to create scalable, convincing fraud campaigns within a mainstream messaging platform.
- The combination of realistic dashboards, time-sensitive incentives, brand impersonation, and malware distribution challenges conventional detection approaches and underscores the need for continual monitoring and verification of unexpected app-like experiences inside messaging apps.
Published by TechLogHub