03.05.2026
4 min
175
Cybercriminals have begun actively abusing Telegram Mini Apps to extort cryptocurrency and infect Android smartphones. The schemes appear to be legitimate services inside the messenger and quickly mislead users.
Cybercrime experts have recently found an important phishing scam operation. This scam operation uses Telegram’s Mini App function for crypto scams, impersonating popular brand names, and to disperse harmful android app malware.
FEMITBOT is a “platform” according to the CTM360 report. Researchers found FEMITBOT through the identifying characteristics (string) in API replies. Overall, the whole system is made up of Telegram bots and mini apps which generate the illusion of using a complete service within your telegram messenger.
As such, the way telegram mini apps function is they serve as light weight versions of web-based apps. They can be accessed from the built-in internet browser. The ease of accessibility to them by users is what attackers are utilizing.
Researchers stated that FEMITBOT is being utilized for multiple types of scams; specifically fraudulent crypto platforms, pseudo financial services, fake AI tools, and even streaming sites. While each campaign has a unique outer layer, they share the same backend.
In order to build confidence among their targets, attackers have taken active steps to disguise themselves as many well known brand names. Some examples include Apple, Coca-Cola, Disney, eBay, IBM, MoonPay, NVIDIA, and YouKu. In addition, all of these campaigns utilize a common backend.”
The scam seems pretty easy. After the Telegram user starts the bot, and after they click “Start”, a new application window will open displaying a fake login (a phishing page) within the Telegram WebView. Because of how similar everything appears to other applications within Telegram, this makes for less of a reason for the victim to think anything suspicious is occurring.
Once the user logs into what they believe to be their account and see what they believe to be some sort of monetary amount in their account (“balance” or “earnings”), timers, or limited-time offers may appear in order to prompt the victim to act as soon as possible. Once the victim decides to remove funds from his account, they are asked to add money or complete referrals. The above actions describe a typical type of fraudulent activity related to investing.
The FEMITBOT was designed to be scalable. Because the attackers have changed the design, language and theme of each campaign on many different occasions, but did so while keeping the underlying structure, this has allowed them to operate with much less expense.
Separately, researchers drew attention to the use of tracking scripts. The campaigns recorded Meta and TikTok pixels, which allow tracking user behavior and optimizing fraudulent scenarios.
In addition to financial fraud, the scheme also includes the distribution of malware. Some mini-apps offer to download Android APK files disguised as well-known services, including BBC, NVIDIA, CineTV, CoreWeave and Claro.
Users are prompted to download the files, open URLs in their native browsers, or install Progressive Web Apps (PWAs) – all of which appear to be normal and trusted applications but can actually contain dangerous malware.
CTM360 states that the developers choose special names for APK files specifically designed to minimize suspicion. Often times, these files mimic popular applications; other times, they have completely generic file names. Regardless, the domain where the files reside is identical to the API domain. This minimizes browser-based warning messages and makes the experience seem much safer.
Experts suggest caution when interacting with a Telegram bot offering investment opportunities or allowing you to create/launch your own “mini-app” — especially if there will be money involved or an application needs to be installed.
Additionally, experts say it is wise to refrain from downloading APK files from anywhere outside of the official Google Play Store. The vast majority of malware is spread through unofficial means.
