Ethical Hacking News
A growing threat on Telegram: crypto scams and Android malware delivery using Mini Apps. Learn how you can protect yourself from falling victim to these malicious operations.
Telegram has become a hub for malicious activities, including crypto scams and Android malware delivery. The FEMITBOT operation uses Telegram Mini Apps to create convincing phishing sites within the platform. The operation impersonates widely recognized brands to promote cryptocurrency investment platforms and financial services. Malware is distributed in the form of Android APKs disguised as legitimate software. Cybersecurity experts warn users to be cautious with Telegram bots promoting crypto investments or Mini Apps that ask for funds or downloads.
Telegram has become a hub for malicious activities, and one of the most concerning trends is the use of Telegram Mini Apps to conduct crypto scams and deliver Android malware. In recent months, cybersecurity researchers have uncovered a large-scale operation that utilizes Telegram's Mini App feature to create convincing, app-like experiences within the messaging platform.
The operation, dubbed FEMITBOT, uses Telegram bots and embedded Mini Apps to create phishing sites directly within the social media platform. When users interact with these bots and click "Start," they are launched into a Mini App that displays a phishing page in Telegram's built-in WebView. This makes it appear as part of the app itself, making it difficult for users to distinguish between legitimate and malicious content.
The FEMITBOT operation impersonates widely recognized brands such as Apple, Coca-Cola, Disney, eBay, IBM, Moon Pay, NVIDIA, YouKu, and others, using these fake accounts to promote cryptocurrency investment platforms, financial services, AI tools, and streaming sites. The attackers also use tracking scripts from Meta and TikTok to track users' activity, measure conversions, and optimize performance.
Moreover, the operation distributes malware in the form of Android APKs that impersonate brands like the BBC, NVIDIA, CineTV, Coreweave, and Claro. These APKs are designed to trick users into downloading them, often by disguising them as legitimate software or using random-looking names that don't immediately trigger suspicion.
The attackers have been able to use a shared backend infrastructure, where multiple phishing domains use the same API response, "Welcome to join the FEMITBOT platform," indicating they are all using the same infrastructure. This allows the operation to easily switch branding, languages, and themes across different campaigns.
Cybersecurity experts warn that users should be cautious when interacting with Telegram bots that promote crypto investments or prompt them to launch Mini Apps, especially if they are asked to deposit funds or download apps. Android users should also avoid sideloading APK files, which are commonly used to distribute malware outside the Google Play Store.
In light of this growing threat, it is essential for Telegram users to be aware of these tactics and take necessary precautions to protect themselves from falling victim to FEMITBOT's crypto scams and Android malware delivery. By being vigilant and informed, users can reduce their risk of becoming a target for these malicious operations.
Related Information:
https://www.ethicalhackingnews.com/articles/Telegram-Mini-Apps-Abused-for-Crypto-Scams-Android-Malware-Delivery-A-Growing-Threat-ehn.shtml
https://www.bleepingcomputer.com/news/security/telegram-mini-apps-abused-for-crypto-scams-android-malware-delivery/
https://www.kaspersky.com/blog/telegram-mini-app-phishing/55041/
https://www.aura.com/learn/telegram-app-scams
Published: Sun May 3 09:39:27 2026 by llama3.2 3B Q4_K_M
