Telegram Mini Apps victimized by crypto scams, Android malware delivery

Cybersecurity researchers have discovered a major scam that uses Telegram’s Mini App feature to run crypto scams, impersonate well-known brands, and spread Android malware.

A new CTM360 report says the platform, called FEMITBOT, is based on a series of strings found in API responses and uses Telegram bots and embedded Mini Apps to create a compelling, app-like experience right inside the messaging environment.

Telegram Mini Apps are lightweight web applications that run within Telegram’s built-in browser, enabling services such as payments, account access, and interactive tools without requiring users to leave the application.

Abusing Telegram’s micro-apps

According to a CTM360 report shared with BleepingComputer, the FEMITBOT platform is used to commit many types of fraud, including fake cryptocurrency platforms, financial services, AI tools, and streaming sites.

In various campaigns, threat actors have created widely known products to increase credibility and engagement, while using the same backend infrastructure with different domains and Telegram bots.

Some of the brands that have not been involved in this campaign include Apple, Coca-Cola, Disney, eBay, IBM, Moon Pay, NVIDIA, YouKu,

The researchers say the activity uses a shared backend, where multiple phishing domains use the same API response, “Welcome to join the FEMITBOT platform,” indicating that they all use the same infrastructure.

The service uses Telegraph bots to display phishing sites directly within the social network. When a user interacts with the bot and clicks “Start,” the bot launches a Mini App that displays the phishing page in Telegram’s built-in WebView, making it appear as part of the app itself.

Once inside, victims are shown dashboards with fake balances or “earnings,” often paired with countdown timers or limited-time offers to create a sense of urgency.

When users try to withdraw funds, they are instructed to make a deposit or complete a transfer transaction, a common tactic in investment and cash advance scams.

Researchers say the infrastructure is designed to be used across different campaigns, allowing attackers to easily change logos, languages, and themes.

Campaigns also use tracking scripts, such as Meta and TikTok tracking pixels, to track user activity, measure conversions, and potentially improve performance.

Other Small Apps have also tried to distribute malware in the form of Android APKs imitating brands such as BBC, NVIDIA, CineTV, Coreweave, and Claro.

Users are instructed to download Android APK files, open links within the in-app browser, or install persistent web apps that emulate official software.

“APK file names are carefully chosen to resemble legitimate applications or use random-looking names that do not immediately arouse suspicion,” CTM360 explained.

“APKs are hosted in the same domain as the API, which ensures the validity of the TLS certificate and avoids mixed content warnings in the browser.”

Users should be careful when interacting with Telegraph bots that promote crypto investments or tell them to launch Micro Apps, especially if they are asked to deposit money or download apps.

As a general rule, Android users should avoid sideloading APK files, which are often used to distribute malware outside of the Google Play Store.