Telegram Mini Apps Abused for Crypto Scams and Android Malware Delivery
None
<h2>What happened</h2><p>CTM360 researchers have uncovered a large-scale fraud operation using Telegram’s Mini App feature to run cryptocurrency scams, impersonate major brands, and distribute Android malware. The platform behind the operation, dubbed FEMITBOT based on a string found in API responses, uses Telegram bots and embedded Mini Apps to create convincing app-like experiences within the messaging platform without requiring users to leave it.</p><p>Telegram Mini Apps are lightweight web applications that run inside Telegram’s built-in browser, enabling payments, account access, and interactive tools. FEMITBOT abuses this feature by deploying bots that, when a user clicks Start, launch phishing pages directly in Telegram’s WebView, making them appear as part of the app itself. Victims are shown dashboards with fake balances or earnings, paired with countdown timers and limited-time offers to create urgency. When they attempt to withdraw funds, they are prompted to make deposits or complete referral tasks, classic advance-fee and investment scam mechanics.</p><p>The operation impersonates widely recognized brands to increase credibility, including Apple, Coca-Cola, Disney, eBay, IBM, MoonPay, NVIDIA, and YouKu. A shared backend infrastructure serves multiple phishing domains, all returning the same API response containing the FEMITBOT platform identifier, indicating centralized control across campaigns. The infrastructure is designed to switch branding, languages, and themes easily, and uses Meta and TikTok tracking pixels to measure campaign performance.</p><p>Some Mini Apps also distribute Android APKs impersonating brands including the BBC, NVIDIA, CineTV, Coreweave, and Claro. The APKs are hosted on the same domains as the phishing API and use TLS certificates to avoid browser warnings. Users are prompted to download APK files, open links in the in-app browser, or install progressive web apps mimicking legitimate software.</p><h2>Who is affected</h2><p>Any Telegram user who interacts with FEMITBOT-linked bots faces exposure to investment fraud and potential Android malware installation. The impersonation of major consumer and enterprise brands means the lures are broadly credible across demographics. Organizations whose brands are being impersonated face reputational and customer trust exposure from the fraudulent use of their identities.</p><h2>Why CISOs should care</h2><p>FEMITBOT demonstrates how Telegram’s Mini App architecture can be weaponized to deliver convincing phishing experiences within a trusted messaging environment, bypassing the user’s instinct to check URLs or verify sources. The in-app WebView display makes the phishing page appear as a native part of Telegram rather than an external site, reducing the visual cues that typically help users identify fraud.</p><p>The use of legitimate ad tracking pixels from Meta and TikTok to optimize campaign performance reflects a level of operational sophistication more typical of legitimate marketing operations than traditional cybercrime. For security leaders, the broader signal is that threat actors are increasingly building fraud infrastructure on top of legitimate platform features rather than relying on traditional phishing infrastructure.</p><h2>3 practical actions</h2><ol> <li><strong>Brief employees on Telegram Mini App phishing and the risks of bots promoting cryptocurrency investments:</strong> Users interacting with Telegram bots that launch Mini Apps displaying investment dashboards, fake earnings, or deposit prompts should treat these as high-confidence scam indicators. Security awareness training should explicitly cover this delivery mechanism as it becomes more widely adopted by threat actors.</li> <li><strong>Enforce MDM policies that block sideloaded APK installation on managed Android devices:</strong> FEMITBOT distributes malware through APK files outside the Google Play Store. Mobile device management policies that restrict APK sideloading on corporate and BYOD devices directly mitigate this distribution method and should be validated as part of your current mobile security posture.</li> <li><strong>Monitor for brand impersonation on Telegram and other messaging platforms as part of your threat intelligence program:</strong> The FEMITBOT infrastructure impersonates well-known brands through bots and Mini Apps. Organizations should include Telegram bot and Mini App monitoring in their brand protection and threat intelligence coverage, particularly those in financial services, technology, and media where impersonation risk is elevated.</li> </ol><div data-test-render-count="1"> <div class="group"> <div class="contents"> <div class="group relative relative pb-3" data-is-streaming="false"> <div class="font-claude-response relative leading-[1.65rem] [&_pre>div]:bg-bg-000/50 [&_pre>div]:border-0.5 [&_pre>div]:border-border-400 [&_.ignore-pre-bg>div]:bg-transparent [&_.standard-markdown_:is(p,blockquote,h1,h2,h3,h4,h5,h6)]:pl-2 [&_.standard-markdown_:is(p,blockquote,ul,ol,h1,h2,h3,h4,h5,h6)]:pr-8 [&_.progressive-markdown_:is(p,blockquote,h1,h2,h3,h4,h5,h6)]:pl-2 [&_.progressive-markdown_:is(p,blockquote,ul,ol,h1,h2,h3,h4,h5,h6)]:pr-8"> <div class="standard-markdown grid-cols-1 grid [&_>_*]:min-w-0 gap-3 standard-markdown"> <p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">Also in the news today:</p> <ul class="[li_&]:mb-0 [li_&]:mt-1 [li_&]:gap-1 [&:not(:last-child)_ul]:pb-1 [&:not(:last-child)_ol]:pb-1 list-disc flex flex-col gap-1 pl-8 mb-3"> <li style="list-style-type: none"> <ul class="[li_&]:mb-0 [li_&]:mt-1 [li_&]:gap-1 [&:not(:last-child)_ul]:pb-1 [&:not(:last-child)_ol]:pb-1 list-disc flex flex-col gap-1 pl-8 mb-3"> <li class="whitespace-normal break-words pl-2"><a class="underline underline underline-offset-2 decoration-1 decoration-current/40 hover:decoration-current focus:decoration-current" href="https://cisowhisperer.com/ubuntu-and-canonical-web-services-hit-by-ddos-attack/">Ubuntu and Canonical Web Services Hit by DDoS Attack</a></li> <li class="whitespace-normal break-words pl-2"><a class="underline underline underline-offset-2 decoration-1 decoration-current/40 hover:decoration-current focus:decoration-current" href="https://cisowhisperer.com/microsoft-defender-mistakenly-flags-digicert-root-certificates-as-malware/">Microsoft Defender Mistakenly Flags DigiCert Root Certificates as Malware</a></li> <li class="whitespace-normal break-words pl-2"><a class="underline underline underline-offset-2 decoration-1 decoration-current/40 hover:decoration-current focus:decoration-current" href="https://cisowhisperer.com/threat-actors-use-ai-to-automate-zero-day-discovery-and-exploitation-at-machine-speed/">Threat Actors Use AI to Automate Zero-Day Discovery and Exploitation at Machine Speed</a></li> <li class="whitespace-normal break-words pl-2"><a class="underline underline underline-offset-2 decoration-1 decoration-current/40 hover:decoration-current focus:decoration-current" href="https://cisowhisperer.com/salt-typhoon-suspected-in-breach-of-ibm-italy-subsidiary-managing-public-infrastructure/">Salt Typhoon Suspected in Breach of IBM Italy Subsidiary Managing Public Infrastructure</a></li> <li class="whitespace-normal break-words pl-2"><a class="underline underline underline-offset-2 decoration-1 decoration-current/40 hover:decoration-current focus:decoration-current" href="https://cisowhisperer.com/frost-bank-hit-with-class-action-lawsuits-over-data-breach-affecting-more-than-100000-customers/">Frost Bank Hit With Class-Action Lawsuits Over Data Breach Affecting More Than 100,000 Customers</a></li> <li class="whitespace-normal break-words pl-2"><a class="underline underline underline-offset-2 decoration-1 decoration-current/40 hover:decoration-current focus:decoration-current" href="https://cisowhisperer.com/sandhills-medical-foundation-ransomware-breach-draws-class-action-investigation-nearly-a-year-later/">Sandhills Medical Foundation Ransomware Breach Draws Class Action Investigation Nearly a Year Later</a></li> </ul> </li> </ul> </div> </div> </div> </div> <div class="flex justify-start" role="group" aria-label="Message actions"> <div class="text-text-300"> <div class="text-text-300 flex items-stretch justify-between"> <div class="w-fit" data-state="closed"></div> </div> </div> </div> </div> </div><p>The post <a rel="nofollow" href="https://cisowhisperer.com/telegram-mini-apps-abused-for-crypto-scams-and-android-malware-delivery/">Telegram Mini Apps Abused for Crypto Scams and Android Malware Delivery</a> appeared first on <a rel="nofollow" href="https://cisowhisperer.com/">CISO Whisperer</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/05/telegram-mini-apps-abused-for-crypto-scams-and-android-malware-delivery/" data-a2a-title="Telegram Mini Apps Abused for Crypto Scams and Android Malware Delivery"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Ftelegram-mini-apps-abused-for-crypto-scams-and-android-malware-delivery%2F&linkname=Telegram%20Mini%20Apps%20Abused%20for%20Crypto%20Scams%20and%20Android%20Malware%20Delivery" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Ftelegram-mini-apps-abused-for-crypto-scams-and-android-malware-delivery%2F&linkname=Telegram%20Mini%20Apps%20Abused%20for%20Crypto%20Scams%20and%20Android%20Malware%20Delivery" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Ftelegram-mini-apps-abused-for-crypto-scams-and-android-malware-delivery%2F&linkname=Telegram%20Mini%20Apps%20Abused%20for%20Crypto%20Scams%20and%20Android%20Malware%20Delivery" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Ftelegram-mini-apps-abused-for-crypto-scams-and-android-malware-delivery%2F&linkname=Telegram%20Mini%20Apps%20Abused%20for%20Crypto%20Scams%20and%20Android%20Malware%20Delivery" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Ftelegram-mini-apps-abused-for-crypto-scams-and-android-malware-delivery%2F&linkname=Telegram%20Mini%20Apps%20Abused%20for%20Crypto%20Scams%20and%20Android%20Malware%20Delivery" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://cisowhisperer.com">CISO Whisperer</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Evan Rowe">Evan Rowe</a>. Read the original post at: <a href="https://cisowhisperer.com/telegram-mini-apps-abused-for-crypto-scams-and-android-malware-delivery/?utm_source=rss&utm_medium=rss&utm_campaign=telegram-mini-apps-abused-for-crypto-scams-and-android-malware-delivery">https://cisowhisperer.com/telegram-mini-apps-abused-for-crypto-scams-and-android-malware-delivery/?utm_source=rss&utm_medium=rss&utm_campaign=telegram-mini-apps-abused-for-crypto-scams-and-android-malware-delivery</a> </p>