Mobile Security

<h2>What happened</h2><p>CTM360 researchers have uncovered a large-scale fraud operation using Telegram’s Mini App feature to run cryptocurrency scams, impersonate major brands, and distribute Android malware. The platform behind the operation, dubbed FEMITBOT based on a string found in API responses, uses Telegram bots and embedded Mini Apps to create convincing app-like experiences within the messaging platform without requiring users to leave it.</p><p>Telegram Mini Apps are lightweight web applications that run inside Telegram’s built-in browser, enabling payments, account access, and interactive tools. FEMITBOT abuses this feature by deploying bots that, when a user clicks Start, launch phishing pages directly in Telegram’s WebView, making them appear as part of the app itself. Victims are shown dashboards with fake balances or earnings, paired with countdown timers and limited-time offers to create urgency. When they attempt to withdraw funds, they are prompted to make deposits or complete referral tasks, classic advance-fee and investment scam mechanics.</p><p>The operation impersonates widely recognized brands to increase credibility, including Apple, Coca-Cola, Disney, eBay, IBM, MoonPay, NVIDIA, and YouKu. A shared backend infrastructure serves multiple phishing domains, all returning the same API response containing the FEMITBOT platform identifier, indicating centralized control across campaigns. The infrastructure is designed to switch branding, languages, and themes easily, and uses Meta and TikTok tracking pixels to measure campaign performance.</p><p>Some Mini Apps also distribute Android APKs impersonating brands including the BBC, NVIDIA, CineTV, Coreweave, and Claro. The APKs are hosted on the same domains as the phishing API and use TLS certificates to avoid browser warnings. Users are prompted to download APK files, open links in the in-app browser, or install progressive web apps mimicking legitimate software.</p><h2>Who is affected</h2><p>Any Telegram user who interacts with FEMITBOT-linked bots faces exposure to investment fraud and potential Android malware installation. The impersonation of major consumer and enterprise brands means the lures are broadly credible across demographics. Organizations whose brands are being impersonated face reputational and customer trust exposure from the fraudulent use of their identities.</p><h2>Why CISOs should care</h2><p>FEMITBOT demonstrates how Telegram’s Mini App architecture can be weaponized to deliver convincing phishing experiences within a trusted messaging environment, bypassing the user’s instinct to check URLs or verify sources. The in-app WebView display makes the phishing page appear as a native part of Telegram rather than an external site, reducing the visual cues that typically help users identify fraud.</p><p>The use of legitimate ad tracking pixels from Meta and TikTok to optimize campaign performance reflects a level of operational sophistication more typical of legitimate marketing operations than traditional cybercrime. For security leaders, the broader signal is that threat actors are increasingly building fraud infrastructure on top of legitimate platform features rather than relying on traditional phishing infrastructure.</p><h2>3 practical actions</h2><ol> <li><strong>Brief employees on Telegram Mini App phishing and the risks of bots promoting cryptocurrency investments:</strong> Users interacting with Telegram bots that launch Mini Apps displaying investment dashboards, fake earnings, or deposit prompts should treat these as high-confidence scam indicators. Security awareness training should explicitly cover this delivery mechanism as it becomes more widely adopted by threat actors.</li> <li><strong>Enforce MDM policies that block sideloaded APK installation on managed Android devices:</strong> FEMITBOT distributes malware through APK files outside the Google Play Store. Mobile device management policies that restrict APK sideloading on corporate and BYOD devices directly mitigate this distribution method and should be validated as part of your current mobile security posture.</li> <li><strong>Monitor for brand impersonation on Telegram and other messaging platforms as part of your threat intelligence program:</strong> The FEMITBOT infrastructure impersonates well-known brands through bots and Mini Apps. Organizations should include Telegram bot and Mini App monitoring in their brand protection and threat intelligence coverage, particularly those in financial services, technology, and media where impersonation risk is elevated.</li> </ol><div data-test-render-count="1"> <div class="group"> <div class="contents"> <div class="group relative relative pb-3" data-is-streaming="false"> <div class="font-claude-response relative leading-[1.65rem] [&amp;_pre&gt;div]:bg-bg-000/50 [&amp;_pre&gt;div]:border-0.5 [&amp;_pre&gt;div]:border-border-400 [&amp;_.ignore-pre-bg&gt;div]:bg-transparent [&amp;_.standard-markdown_:is(p,blockquote,h1,h2,h3,h4,h5,h6)]:pl-2 [&amp;_.standard-markdown_:is(p,blockquote,ul,ol,h1,h2,h3,h4,h5,h6)]:pr-8 [&amp;_.progressive-markdown_:is(p,blockquote,h1,h2,h3,h4,h5,h6)]:pl-2 [&amp;_.progressive-markdown_:is(p,blockquote,ul,ol,h1,h2,h3,h4,h5,h6)]:pr-8"> <div class="standard-markdown grid-cols-1 grid [&amp;_&gt;_*]:min-w-0 gap-3 standard-markdown"> <p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">Also in the news today:</p> <ul class="[li_&amp;]:mb-0 [li_&amp;]:mt-1 [li_&amp;]:gap-1 [&amp;:not(:last-child)_ul]:pb-1 [&amp;:not(:last-child)_ol]:pb-1 list-disc flex flex-col gap-1 pl-8 mb-3"> <li style="list-style-type: none"> <ul class="[li_&amp;]:mb-0 [li_&amp;]:mt-1 [li_&amp;]:gap-1 [&amp;:not(:last-child)_ul]:pb-1 [&amp;:not(:last-child)_ol]:pb-1 list-disc flex flex-col gap-1 pl-8 mb-3"> <li class="whitespace-normal break-words pl-2"><a class="underline underline underline-offset-2 decoration-1 decoration-current/40 hover:decoration-current focus:decoration-current" href="https://cisowhisperer.com/ubuntu-and-canonical-web-services-hit-by-ddos-attack/">Ubuntu and Canonical Web Services Hit by DDoS Attack</a></li> <li class="whitespace-normal break-words pl-2"><a class="underline underline underline-offset-2 decoration-1 decoration-current/40 hover:decoration-current focus:decoration-current" href="https://cisowhisperer.com/microsoft-defender-mistakenly-flags-digicert-root-certificates-as-malware/">Microsoft Defender Mistakenly Flags DigiCert Root Certificates as Malware</a></li> <li class="whitespace-normal break-words pl-2"><a class="underline underline underline-offset-2 decoration-1 decoration-current/40 hover:decoration-current focus:decoration-current" href="https://cisowhisperer.com/threat-actors-use-ai-to-automate-zero-day-discovery-and-exploitation-at-machine-speed/">Threat Actors Use AI to Automate Zero-Day Discovery and Exploitation at Machine Speed</a></li> <li class="whitespace-normal break-words pl-2"><a class="underline underline underline-offset-2 decoration-1 decoration-current/40 hover:decoration-current focus:decoration-current" href="https://cisowhisperer.com/salt-typhoon-suspected-in-breach-of-ibm-italy-subsidiary-managing-public-infrastructure/">Salt Typhoon Suspected in Breach of IBM Italy Subsidiary Managing Public Infrastructure</a></li> <li class="whitespace-normal break-words pl-2"><a class="underline underline underline-offset-2 decoration-1 decoration-current/40 hover:decoration-current focus:decoration-current" href="https://cisowhisperer.com/frost-bank-hit-with-class-action-lawsuits-over-data-breach-affecting-more-than-100000-customers/">Frost Bank Hit With Class-Action Lawsuits Over Data Breach Affecting More Than 100,000 Customers</a></li> <li class="whitespace-normal break-words pl-2"><a class="underline underline underline-offset-2 decoration-1 decoration-current/40 hover:decoration-current focus:decoration-current" href="https://cisowhisperer.com/sandhills-medical-foundation-ransomware-breach-draws-class-action-investigation-nearly-a-year-later/">Sandhills Medical Foundation Ransomware Breach Draws Class Action Investigation Nearly a Year Later</a></li> </ul> </li> </ul> </div> </div> </div> </div> <div class="flex justify-start" role="group" aria-label="Message actions"> <div class="text-text-300"> <div class="text-text-300 flex items-stretch justify-between"> <div class="w-fit" data-state="closed"></div> </div> </div> </div> </div> </div><p>The post <a rel="nofollow" href="https://cisowhisperer.com/telegram-mini-apps-abused-for-crypto-scams-and-android-malware-delivery/">Telegram Mini Apps Abused for Crypto Scams and Android Malware Delivery</a> appeared first on <a rel="nofollow" href="https://cisowhisperer.com/">CISO Whisperer</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/05/telegram-mini-apps-abused-for-crypto-scams-and-android-malware-delivery/" data-a2a-title="Telegram Mini Apps Abused for Crypto Scams and Android Malware Delivery"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Ftelegram-mini-apps-abused-for-crypto-scams-and-android-malware-delivery%2F&amp;linkname=Telegram%20Mini%20Apps%20Abused%20for%20Crypto%20Scams%20and%20Android%20Malware%20Delivery" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Ftelegram-mini-apps-abused-for-crypto-scams-and-android-malware-delivery%2F&amp;linkname=Telegram%20Mini%20Apps%20Abused%20for%20Crypto%20Scams%20and%20Android%20Malware%20Delivery" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Ftelegram-mini-apps-abused-for-crypto-scams-and-android-malware-delivery%2F&amp;linkname=Telegram%20Mini%20Apps%20Abused%20for%20Crypto%20Scams%20and%20Android%20Malware%20Delivery" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Ftelegram-mini-apps-abused-for-crypto-scams-and-android-malware-delivery%2F&amp;linkname=Telegram%20Mini%20Apps%20Abused%20for%20Crypto%20Scams%20and%20Android%20Malware%20Delivery" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Ftelegram-mini-apps-abused-for-crypto-scams-and-android-malware-delivery%2F&amp;linkname=Telegram%20Mini%20Apps%20Abused%20for%20Crypto%20Scams%20and%20Android%20Malware%20Delivery" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://cisowhisperer.com">CISO Whisperer</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Evan Rowe">Evan Rowe</a>. Read the original post at: <a href="https://cisowhisperer.com/telegram-mini-apps-abused-for-crypto-scams-and-android-malware-delivery/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=telegram-mini-apps-abused-for-crypto-scams-and-android-malware-delivery">https://cisowhisperer.com/telegram-mini-apps-abused-for-crypto-scams-and-android-malware-delivery/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=telegram-mini-apps-abused-for-crypto-scams-and-android-malware-delivery</a> </p>

<p>Security Boulevard is now providing a weekly cybersecurity jobs report through which opportunities for cybersecurity professionals will be highlighted as part of an effort to better serve our audience.</p><p>Our goal in these challenging economic times is to make it just that much easier for cybersecurity professionals to advance their careers.</p><p>Of course, the pool of available cybersecurity talent is still relatively constrained, so when one cybersecurity professional takes on a new role, it tends to create opportunities for others.</p><p>The ten job postings shared this week are selected based on the company looking to hire, the vertical industry segment and naturally, the pay scale being offered.</p><p>We’re also committed to providing additional insights into the state of the cybersecurity job market. In the meantime, for your consideration.</p><p><strong>Dice</strong></p><p>AaraTechnologies Inc<br>San Francisco, CA<br><a href="https://www.dice.com/job-detail/83a52da2-d721-4816-8cec-ec7f8fb234cd">CYBER SECURITY</a><br>$60,000 – $70,000</p><p>ComTec Information Systems<br>Houston, TX<br><a href="https://www.dice.com/job-detail/88fda044-c16a-4723-9e5c-7abb532375d2">Cyber Security Project Manager</a><br>$140,000 – $160,000</p><p>Accenture LLP<br>Arlington, VA<br><a href="https://www.dice.com/job-detail/0acb1a13-41e5-43ae-9769-a751796794c8">Cybersecurity Network Engineer</a><br>$86,400 – $176,200</p><p>VCS Digital LLC<br>Phoenix, AZ<br><a href="https://www.dice.com/job-detail/66fbd90a-4249-4548-ac2f-230b4971f85b">Executive Program Manager for Cybersecurity</a><br>$100,000 – $120,000</p><p>Tri-Force Consulting Services Inc<br>(Remote)<br><a href="https://www.dice.com/job-detail/658e362b-7ab8-4cd3-bd92-8bb01bff333f">Cyber Security Disaster Recovery (DR) Architect</a><br>$80 – $90</p><p><strong>Indeed</strong></p><p>USAA<br>Plano, TX<br><a href="https://www.indeed.com/viewjob?jk=f62090ed6020b340">Information Security Engineer – Mid Level</a><br>$114,080 – $218,030</p><p>USC<br>Arlington, VA<br><a href="https://www.indeed.com/viewjob?jk=7e28cf0043bcbb7d">Information Systems Security Engineer/IT Systems Eng</a><br>$130,000 – $140,000</p><p>Harris Health<br>Bellaire, TX<br><a href="https://www.indeed.com/viewjob?jk=57ffda4e504db955">Information Security Engineer</a><br>$99,216.00 – $129,001.60</p><p>Argo Cyber Systems<br>Arlington, VA<br><a href="https://www.indeed.com/viewjob?jk=d60e4bea5db66fb5">Cloud Engineering Requires Current US Security clearance</a><br>$100,000 – $120,000</p><p>Canus Tech<br>New Jersey<br><a href="https://www.linkedin.com/jobs/cyber-security-jobs-new-jersey">Data Privacy &amp; Protection SME – $140k+</a><br>$140,000+</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/05/ten-great-cybersecurity-job-opportunities-5/" data-a2a-title="Ten Great Cybersecurity Job Opportunities"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Ften-great-cybersecurity-job-opportunities-5%2F&amp;linkname=Ten%20Great%20Cybersecurity%20Job%20Opportunities" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Ften-great-cybersecurity-job-opportunities-5%2F&amp;linkname=Ten%20Great%20Cybersecurity%20Job%20Opportunities" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Ften-great-cybersecurity-job-opportunities-5%2F&amp;linkname=Ten%20Great%20Cybersecurity%20Job%20Opportunities" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Ften-great-cybersecurity-job-opportunities-5%2F&amp;linkname=Ten%20Great%20Cybersecurity%20Job%20Opportunities" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Ften-great-cybersecurity-job-opportunities-5%2F&amp;linkname=Ten%20Great%20Cybersecurity%20Job%20Opportunities" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

Tom Parker, a security services lead at IBM with some two decades of experience in the cybersecurity industry, has emerged as a potential contender to lead the Cybersecurity and Infrastructure Securi… [+2538 chars]

Enterprises are moving fast to embed artificial intelligence into everything from customer interactions to decision-making. The benefits are undeniable: speed, efficiency and scale. The danger isnt … [+7795 chars]

Salt Typhoon breach IBM subsidiary in Italy: a warning for Europes digital defenses In late April 2026, the Italian cybersecurity landscape was shaken by a significant breach targeting Sistemi Infor… [+3260 chars]

The chief technology officer of the United Kingdom's National Cyber Security Centre (NCSC) has told organisations to deal with their technical debt, or skilled individuals will be able to exploit it … [+2357 chars]

## Market Snapshot In the “Bitcoin Future Price Predictions” market, the probability of Bitcoin reaching $200,000 by December 31, 2026, is currently priced at 4% YES, unchanged from prior days. In t… [+2286 chars]

## Market Snapshot The market for Anthropic’s provision of the Mythos model to the US government by April 30, 2026, is currently priced at 100% YES. Despite recent news, sub-market odds remain uncha… [+1930 chars]

A newly launched Christian cell-phone network is aiming to be the first in the US to block pornography and LGBT content. “We are going to create and we think we have every right to do so an environm… [+2766 chars]

Microsoft Defender is detecting legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, resulting in widespread false-positive alerts, and in some cases, removing certificates from Win… [+5544 chars]

A required part of this site couldnt load. This may be due to a browser extension, network issues, or browser settings. Please check your connection, disable any ad blockers, or try using a diffe… [+12 chars]

When Anthropic introduced its powerful new model, Claude Mythos, this spring, companies and countries freaked out. The general-purpose model, its creators claimed, could discover software vulnerabili… [+824 chars]

Jakarta (ANTARA) - Indonesia’s National Police chief Listyo Sigit Prabowo said the new Yogyakarta Regional Police headquarters will adopt a smart city model, integrating data systems to support faste… [+972 chars]

NEW YORK — Target's mobile app and website are functioning normally for most users as of Sunday, May 3, 2026, though scattered reports of intermittent glitches have surfaced on social media and outag… [+5236 chars]

A required part of this site couldnt load. This may be due to a browser extension, network issues, or browser settings. Please check your connection, disable any ad blockers, or try using a diffe… [+12 chars]

U.S. CISA adds a flaw in WebPros cPanel to its Known Exploited Vulnerabilities catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Microsoft Defender, tracked as… [+1928 chars]

But the bigger shift is how messy the ecosystem has become. Established groups like Akira and Qilin are still active, while newer players like The Gentlemen surged into the top tier with a 588 percen… [+805 chars]

Cybersecurity researchers have uncovered a large-scale fraud operation that uses Telegram’s Mini App feature to run crypto scams, impersonate well-known brands, and distribute Android malware. A new… [+3430 chars]

Samarkand, Uzbekistan: The Asian Development Bank (ADB) will support $70 billion in new energy and digital infrastructure projects aimed at connecting power grids, expanding cross-border electricity … [+3035 chars]

Bitcoin's role in national security grows as US lawmakers push for domestic mining and defense strategies. Key Takeaways <ul><li>Bitcoin is increasingly seen as a national security tool by US lawmak… [+10051 chars]

R&amp;D generates significant revenue, but manufacturing capabilities are the real backbone and the truly large source of wealth. Israel has built a global reputation on innovation. But while the Un… [+3692 chars]

Can’t-miss innovations from the bleeding edge of science and tech Earlier this year, Anthropic unveiled a preview version of Mythos, its upcoming AI model that it claimed was simply too dangerous to… [+2708 chars]

Theres a lot to security that isnt necessarily cyber. Its not all hackers or complex network attacks. Alongside traditional cyberattacks that deploy malware or exploit known software vulnerabilities… [+6534 chars]

Investigations into the disappearance of USD 2.5 million through unauthorized access to email accounts at the Sri Lanka Treasury have been expanded, and the Criminal Investigation Department (CID) ha… [+2985 chars]

Google Revamps Bug Bounty Programs: Android Rewards Rise, Chrome Payouts Drop in the Age of AI Google has announced a major overhaul of its Vulnerability Reward Programs (VRP) for Android and Chrome… [+5610 chars]