A large-scale fraud operation named FEMITBOT is abusing Telegram's Mini App feature to run cryptocurrency scams, impersonate well-known brands, and distribute Android malware according to CTM360 researchers. Mini Apps are lightweight web applications running inside Telegram's built-in browser, enabling services without leaving the messaging platform. The operation uses a shared backend infrastructure where multiple phishing domains return the same API response identifying the platform.
Attackers deploy Telegram bots that launch Mini Apps displaying phishing pages directly within Telegram's WebView, making fraudulent content appear as part of the legitimate app. Victims see dashboards with fake balances or earnings paired with countdown timers to create urgency, but withdrawal attempts prompt deposit requirements or referral tasks typical of advance-fee scams. Impersonated brands include Apple, Coca-Cola, Disney, eBay, IBM, Moon Pay, NVIDIA, and YouKu.
The infrastructure supports easy rebranding across campaigns using tracking scripts such as Meta and TikTok pixels to optimize performance. Some Mini Apps distribute Android APKs impersonating BBC, NVIDIA, Coreweave, and Claro, hosted on the same domains as APIs to maintain certificate validity. Users are advised to avoid interacting with Telegram bots promoting crypto investments or requesting app downloads, and Android users should never sideload APK files outside Google Play. The malware delivery method exploits trust in the Telegram platform while leveraging legitimate-looking APK filenames to avoid immediate suspicion.
Read more...