FEMITBOT Scam Uses Telegram Mini Apps to Push Crypto Fraud

Cybersecurity researchers at CTM360 have uncovered a large-scale fraud operation called FEMITBOT that exploits Telegram's Mini App feature to conduct crypto scams, impersonate major brands, and distribute Android malware. The campaign targets users through bots that display phishing pages directly within Telegram's built-in browser.

The attack works because Telegram Mini Apps feel native to the platform. Victims interact with what appears to be a legitimate in-app experience rather than being redirected to a suspicious external website. Telegram performs minimal vetting before Mini Apps go live—anyone can create and launch one without code review or developer verification.

How FEMITBOT Works

The fraud operation uses Telegram bots to display embedded Mini Apps within the messaging platform. When a victim interacts with a FEMITBOT-controlled bot, they see:

• Fake cryptocurrency investment dashboards showing fabricated account balances
• Countdown timers creating urgency to "act now"
• Phishing forms collecting credentials and payment information
• Prompts to download Android APK files

When users attempt to withdraw their supposed earnings, they face demands for additional deposits or referral task completion—classic advance-fee fraud tactics. The fake balances never existed, and any money sent to "unlock" withdrawals goes directly to the attackers.

Brand Impersonation at Scale

FEMITBOT impersonates major technology and media brands to boost credibility. CTM360 identified fake Mini Apps mimicking:

• Apple
• NVIDIA
• Disney
• eBay
• IBM
• MoonPay
• Coca-Cola
• YouKu

The brand impersonation extends to the Android malware component. Malicious APK files were named to resemble BBC, NVIDIA, CineTV, Coreweave, and Claro applications. According to CTM360, "APK filenames are carefully chosen to resemble legitimate applications or use random-looking names that don't immediately trigger suspicion."

These APKs were hosted on the same domain infrastructure as the scam API backend, suggesting a unified operation rather than separate campaigns.

Why Telegram Mini Apps Are Risky

Telegram Mini Apps are lightweight web applications that run inside the platform's built-in browser, enabling payments, account access, and interactive tools without requiring users to leave the app. The feature launched as a way for businesses to offer services within Telegram.

The problem is vetting—or the lack of it. Telegram doesn't review Mini App code, functionality, or developer intent before an app goes live. Compare this to Apple's App Store or Google Play, where submissions face automated scanning and human review (however imperfect those processes may be).

This mirrors the broader trend of attackers abusing legitimate platforms we've covered recently. The ConsentFix OAuth attacks used Azure infrastructure to bypass email security, and AccountDumpling phishing campaigns leveraged Google AppSheet as a relay. Legitimate platforms provide attacker infrastructure that doesn't trigger reputation-based blocking.

Android Malware Distribution

Beyond the crypto scams, FEMITBOT distributes Android malware through the Mini App interface. Users are prompted to download APK files that request excessive permissions after installation.

Some Mini Apps also included Meta and TikTok tracking pixels, allowing the operators to measure "conversion rates" on their scam campaigns with the same analytics tools legitimate marketers use.

The Android malware component hasn't been fully analyzed yet, but info-stealing functionality is likely given the campaign's focus on credentials and cryptocurrency wallets. For users who may have installed suspicious APKs, our malware removal guide covers Android-specific cleanup steps.

Protection Recommendations

Users should treat Telegram Mini Apps with skepticism, particularly those promoting:

• Cryptocurrency investments with guaranteed returns
• Urgent limited-time offers requiring immediate action
• Downloads of APK files outside official app stores
• Requests for deposits to "unlock" account balances

Telegram doesn't offer a way to globally disable Mini Apps, but users can:

1. Avoid interacting with bots from unknown sources
2. Never download APK files prompted by Telegram bots
3. Report suspicious Mini Apps to Telegram via the platform's abuse reporting
4. Use Android's "Verify apps" feature to scan APKs before installation (Settings > Security > Verify apps)

Organizations using Telegram for business communication should consider whether Mini Apps pose acceptable risk given the lack of vetting. Mobile device management policies can block sideloaded APK installation on corporate Android devices.

Tracking Pixels and Scale

The use of Meta and TikTok tracking pixels suggests FEMITBOT operators run this like a business, measuring campaign performance and optimizing their scam funnels. CTM360 didn't estimate victim counts, but the infrastructure scale—multiple domains, numerous brand impersonations, both iOS-style phishing and Android malware—indicates significant investment.

Organizations interested in detecting lookalike domains targeting their brand can use tools like Greyphish to monitor for phishing infrastructure registrations in real-time.

The FEMITBOT operation demonstrates how messaging platforms become attack surfaces when features enabling third-party integrations lack security review. Telegram's permissionless Mini App ecosystem trades user safety for developer convenience.