Crypto Scams on Telegram: Mini Apps Used to Distribute Infected APKs

The Flexibility of Telegram Mini Apps

The flexibility of Telegram Mini Apps has become a double-edged sword. Cybersecurity researchers have identified a vast fraudulent operation, named FEMITBOT, designed to target users of the messaging service by simulating cryptocurrency trading platforms and distributing malware for Android systems. The heart of the problem lies in how Telegram handles these lightweight applications: Mini Apps are loaded within an integrated WebView, an internal browser that can be easily manipulated to create user experiences indistinguishable from the native app features.

The attack mechanism, described by CTM360, typically begins with a Telegram bot. Once the user interacts with the "Start" command, the bot launches the Mini App, loading a phishing page. Since everything occurs within the Telegram ecosystem, victims are led to implicitly trust the displayed content. The fraudulent dashboards show fake balances and alleged real-time earnings, using standard social engineering tactics like countdown timers and limited-time offers to push the user to take quick actions without reflection.

FEMITBOT: Abusing WebViews for Large-Scale Scams

The FEMITBOT infrastructure operates as a centralized platform capable of managing multiple simultaneous campaigns. Researchers have identified a common API response, "Welcome to join the FEMITBOT platform," which links hundreds of phishing domains to the same backend through a modular approach that allows attackers to quickly change the branding and language of interfaces to suit different markets and targets.

The list of counterfeit brands is impressive and includes tech and entertainment giants like Apple, NVIDIA, IBM, Disney, eBay, and Coca-Cola. In some cases, the deception shifts to specific financial services like Moon Pay. The core of the financial scam follows the "prepaid payment" model: when a user tries to withdraw the supposed profits accumulated on the fake platform, the system requires a collateral deposit or completion of referral tasks, pocketing the funds deposited by the victim without ever allowing the unlocking of their capital.

In addition to the direct theft of digital assets, FEMITBOT serves as a vector for the dissemination of Android malware. In various campaigns, users are asked to download APK files presented as legitimate software from brands like BBC, CineTV, or Coreweave. A relevant technical detail concerns the hosting of these packages: the malicious files reside on the same domain as the control API. This choice allows cybercriminals to exploit the same valid TLS certificate of the phishing platform, preventing modern browsers from displaying security warnings related to mixed content or untrusted certificates during downloads.

The names of the APK files are strategically chosen to appear harmless or to mimic system apps, reducing the likelihood of suspicion during manual installation (sideloading). To maximize the effectiveness of the operation, FEMITBOT developers have integrated advanced tracking scripts, including Meta and TikTok tracking pixels. These tools allow operators to precisely measure the conversion rate of clicks into deposits or malware installations, optimizing advertising spending or the distribution of links on social media.

The recommendation remains to categorically avoid installing APK files from sources outside the Google Play Store, especially if offered through messaging bots promising off-market financial returns.