FEMITBOT Network Abuses Telegram Mini Apps for Crypto Scams and Android Malware

Summary

A sophisticated fraud network called FEMITBOT uses Telegram's Mini App feature to conduct large-scale cryptocurrency investment scams and distribute Android malware. The operation impersonates trusted brands like Apple, Disney, and BBC to trick users into depositing money or downloading malicious APK files, leveraging Telegram's WebView to avoid triggering browser security warnings. The infrastructure is professionally managed with shared systems allowing rapid rebranding and tracking through Meta and TikTok marketing tools.

Full text

Security Android Crypto Malware Scams and FraudFEMITBOT Network Abuses Telegram Mini Apps for Crypto Scams and Android MalwarebyDeeba AhmedMay 5, 20262 minute read A massive fraud network called FEMITBOT uses Telegram Mini Apps and fake brand names like Apple, Disney, and the BBC to trick users into investment scams and downloading Android malware. A massive fraud network, called FEMITBOT, is currently using Telegram’s Mini App feature to trick users into losing money and downloading malicious software in a new cryptocurrency scam wave. FEMITBOT is a centralized fraud infrastructure used by hackers to launch and manage hundreds of different scams at once. This operation was discovered and named by the research firm CTM360 in a recently released report. They identified the name FEMITBOT after finding it hidden within the API responses (technical data sent from the hackers’ servers to the victims’ phones). By using these built-in apps, the people behind the attack create a very smooth experience. It makes it hard for a regular person to tell they have actually left the secure parts of Telegram. How the Scams Work In this operation, the attackers use Telegram Mini Apps, which are lightweight programs that run inside the app’s own browser called WebView. When a user interacts with a bot and hits the Start button, these phishing pages pop up immediately. Since the page remains inside Telegram, it appears like it is a real part of the platform because it is not like a normal link that opens in Chrome or Safari. The scammers use a few different ways to steal: Fake Dashboards: Users see screens showing fake earnings or high balances in cryptocurrency. Urgency: The apps use countdown timers and offers that expire in minutes. This forces people to make fast, panicky decisions. The Trap: To withdraw any earnings, the system says the user must first deposit their own money or refer friends. This is a classic lure used commonly in investment scams. Brands and Dangerous Software To appear legit, as per CTM360’s report, FEMITBOT copies global companies. They use logos and names like Apple, Disney, Coca-Cola, eBay, IBM, NVIDIA, MoonPay, and YouKu, as well as Binance and OKX. This makes the fake investment offers look like they are backed by giant, trusted businesses. The operation also spreads Android malware, where some Mini Apps trick users into downloading APK files or installing Progressive Web Apps (PWAs). These malicious files impersonate apps from the BBC, NVIDIA, CineTV, Coreweave, and Claro. To stop phone browsers from showing security warnings, the attackers use TLS certificates. This helps the malicious files look safe and verified. Screenshot via CTM360 A Professional Setup This isn’t just a small group since the entire network runs on a shared system, on which the hackers can change the branding or language of a scam almost instantly. Surprisingly, they even use marketing tools from Meta and TikTok, and also use tracking pixels to see which scams get the most clicks. It shows they are running this like a professional business. Be very careful with any bot that asks for a deposit before you can take your money out. (Photo by Mohamed Nohassi on Unsplash) Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts AndroidCryptoCyber AttackCyber CrimeCybersecurityFEMITBOTMalwareScamsTelegramTelegram Mini Leave a Reply Cancel reply View Comments (0) Related Posts Hacking News Security Hackers attack Russian bank to steal $1m using an outdated router Cybercriminals part of a notorious hacking group attacked the PIR Bank of Russia and stole $1m. The hacking… byWaqas Read More Security Malware Years Long Linux Cryptominer Spotted Using Legit Sites to Spread Malware Cryptominer campaign runs for years using legit sites to spread malware, targeting Linux systems through known bugs and avoiding detection. byWaqas Malware Security Social Media SilentFade malware stole Facebook credentials, $4 million in ad fraud Facebook claims that a Chinese company is responsible for operating SilentFade malware. byDeeba Ahmed Security Technology Dell, The Latest in The List of Pre-Rooted PC and Laptop Sellers Dell is found to be shipping laptops having eDellRoot certificate installed by default. The certificate is through trusted… byUzair Amir

Indicators of Compromise

• malware — FEMITBOT

Entities