Cybersecurity researchers have identified a significant fraud operation utilizing Telegram’s Mini App feature for cryptocurrency scams, brand impersonation, and Android malware distribution. The operation, known as FEMITBOT, leverages Telegram bots and embedded Mini Apps to deliver convincing experiences directly within the app.
The CTM360 report indicates that FEMITBOT conducts various scams, including fake cryptocurrency platforms and fraudulent financial services, by impersonating well-known brands. This tactic enhances the operation’s credibility, allowing it to engage unsuspecting users.
Brands such as Apple, Coca-Cola, Disney, and IBM have been impersonated, employing a common infrastructure with multiple phishing domains that share the same API response: “Welcome to join the FEMITBOT platform.” This indicates a unified backend for the fraud operation.
Telegram bots present phishing sites within the platform itself. Users who interact with these bots and click “Start” are redirected to a Mini App displaying a phishing page in Telegram’s built-in WebView. Victims are often shown fake dashboards that display fictional balances or earnings, enhanced by countdown timers to create urgency.
As users attempt to withdraw funds, they are directed to deposit more money or complete various referral tasks, a tactic commonly observed in scams. The infrastructure supporting FEMITBOT allows for quick adjustments across different campaigns, making it easy for the attackers to modify branding, languages, and themes.
Moreover, the scamming campaigns incorporate tracking scripts like Meta and TikTok pixels to monitor user activity and optimize engagement. Some Mini Apps distribute Android malware, impersonating brands such as the BBC and NVIDIA. Users are often urged to download APK files or open links in the in-app browser, leading to potentially harmful software installations.
CTM360 explains, “The APK filenames are carefully chosen to resemble legitimate applications or use random-looking names that don’t immediately trigger suspicion.” The APKs are hosted on the same domain as the API, ensuring valid TLS certificates to avoid browser warnings.
Experts advise users to exercise caution with Telegram bots that suggest crypto investments, especially those requesting deposits or app downloads. Android users are also warned to avoid sideloading APK files, as these practices frequently lead to malware distribution outside the Google Play Store.
