Telegram Mini Apps abused for crypto scams, Android malware delivery
Source: Bleeping Computer
Abusing Telegram mini apps
A report by CTM360, referenced by BleepingComputer, describes the platform—named FEMITBOT—as a string found in API responses that powers Telegram bots and embedded Mini Apps to create convincing, app‑like experiences directly within the messaging platform.
The FEMITBOT platform is used for multiple scam types, including fake cryptocurrency platforms, financial services, AI tools, and streaming sites. Threat actors impersonate widely recognized brands to increase credibility, reusing the same backend infrastructure across different domains and bots.
Impersonated brands
- Apple
- Coca‑Cola
- Disney
- eBay
- IBM
- Moon Pay
- NVIDIA
- YouKu
Source: CTM360
Researchers observed a shared backend where multiple phishing domains return the same API response:
“Welcome to join the FEMITBOT platform”
Source: CTM360
The operation uses Telegram bots to display phishing sites directly within the platform. When a user clicks Start on a bot, it launches a Mini App that shows a phishing page in Telegram’s WebView, making it appear as part of the native app. Inside the Mini App, victims see dashboards with fake balances or “earnings,” often paired with countdown timers or limited‑time offers to create urgency. Withdrawal attempts lead to requests for deposits or referral tasks—common tactics in investment and advance‑fee scams.
The infrastructure is reusable across campaigns, allowing attackers to switch branding, languages, and themes easily. Tracking scripts (e.g., Meta and TikTok pixels) are embedded to monitor user activity, measure conversions, and optimize performance.
Android malware distribution
Some Mini Apps also distribute Android APKs that impersonate brands such as the BBC, NVIDIA, CineTV, Coreweave, and Claro.
Source: CTM360
Victims are prompted to download APK files, open links within the in‑app browser, or install progressive web apps that mimic legitimate software. Filenames are crafted to resemble legitimate applications or use random‑looking names that don’t immediately raise suspicion. The APKs are hosted on the same domain as the API, ensuring valid TLS certificates and avoiding mixed‑content warnings.
Recommendations
- Be cautious when interacting with Telegram bots that promote crypto investments or prompt you to launch Mini Apps, especially if they ask for deposits or app downloads.
- Android users should avoid sideloading APK files, as they are a common vector for malware distributed outside the Google Play Store.