Cybersecurity researchers uncovered a large-scale fraud operation utilizing Telegram’s Mini App feature to execute crypto scams, impersonate brands, and distribute Android malware. According to a report by CTM360, the operation, identified as FEMITBOT, employs Telegram bots and Mini Apps to create deceptive experiences directly within the messaging platform.
The FEMITBOT platform facilitates various scams, including fake cryptocurrency platforms, financial services, AI tools, and streaming sites. Researchers found that scammers impersonated well-known brands like Apple, Coca-Cola, Disney, eBay, IBM, Moon Pay, NVIDIA, and YouKu to enhance credibility and engagement.
The campaign uses a shared backend across multiple phishing domains, with a common API response that includes the phrase, “Welcome to join the FEMITBOT platform.” This indicates that different scams leverage the same underlying infrastructure. Telegram bots engage users by displaying phishing sites directly within the app, using Mini Apps that appear authentic.
Victims often encounter fake dashboards showing inflated balances or “earnings,” accompanied by countdown timers or limited-time offers to create urgency. Users attempting to withdraw funds are prompted to make additional deposits or complete referral tasks, a tactic common in advance-fee scams.
The infrastructure is adaptable, allowing easy modifications to branding, languages, and themes for various campaigns. These campaigns also utilize tracking scripts from platforms like Meta and TikTok to monitor user activity and optimize performance.
Some Mini Apps disguise malware as Android APKs, impersonating genuine applications from brands such as the BBC, NVIDIA, and CineTV. Users are misled into downloading these APK files, which use filenames designed to appear legitimate or random enough to avoid suspicion.
CTM360 notes, “The APKs are hosted on the same domain as the API, ensuring TLS certificate validity and avoiding mixed-content warnings in the browser.” Users are urged to be wary of Telegram bots promoting crypto investments that ask for deposits or app downloads.
Android users should refrain from sideloading APK files not obtained from the Google Play Store, as these often carry malware risks. Researchers emphasize the importance of vigilance when interacting with suspicious Telegram bots.
