Cybersecurity researchers have recently unveiled a sophisticated fraud operation leveraging Telegram’s Mini App feature to orchestrate a variety of crypto scams, impersonate reputable brands, and disseminate Android malware. This operation, identified as FEMITBOT, utilizes a unique string detected in API responses and employs Telegram bots alongside embedded Mini Apps to craft convincing, app-like experiences within the messaging platform.
Telegram Mini Apps serve as lightweight web applications that operate within Telegram’s integrated browser, facilitating services such as payments, account access, and interactive tools without necessitating users to exit the app.
Abusing Telegram mini apps
The findings from CTM360, shared with BleepingComputer, reveal that the FEMITBOT platform is engaged in a multitude of scams, including fraudulent cryptocurrency platforms, financial services, AI tools, and streaming sites. In various campaigns, the perpetrators have impersonated well-known brands to enhance credibility and user engagement, utilizing a shared backend infrastructure across different domains and Telegram bots.
- Some of the brands impersonated in this campaign include:
- Apple
- Coca-Cola
- Disney
- eBay
- IBM
- Moon Pay
- NVIDIA
- YouKu
Source: CTM360
Researchers have noted that the operation employs a shared backend, where multiple phishing domains utilize the same API response, stating, “Welcome to join the FEMITBOT platform,” which indicates a common infrastructure among these scams.
Source: CTM360
Through the use of Telegram bots, the operation displays phishing sites directly within the social media platform. When users interact with a bot and click “Start,” the bot activates a Mini App that presents a phishing page within Telegram’s built-in WebView, creating an illusion that it is part of the app itself.
Victims are then shown dashboards featuring fake balances or “earnings,” often accompanied by countdown timers or limited-time offers designed to instill a sense of urgency. When users attempt to withdraw funds, they are typically prompted to make a deposit or complete referral tasks, a common strategy in investment and advance-fee scams.
Researchers have emphasized that the infrastructure is adaptable across various campaigns, enabling attackers to effortlessly switch branding, languages, and themes. Additionally, these campaigns employ tracking scripts, including Meta and TikTok tracking pixels, to monitor user activity, assess conversions, and likely optimize performance.
Some Mini Apps have also attempted to distribute malware in the form of Android APKs that impersonate reputable brands such as the BBC, NVIDIA, CineTV, Coreweave, and Claro.
Source: CTM360
Users are often prompted to download Android APK files, open links within the in-app browser, or install progressive web apps that mimic legitimate software. CTM360 explains, “The APK filenames are carefully chosen to resemble legitimate applications or use random-looking names that don’t immediately trigger suspicion.” Furthermore, “The APKs are hosted on the same domain as the API, ensuring TLS certificate validity and avoiding mixed-content warnings in the browser.”
As a precaution, users should exercise caution when engaging with Telegram bots that promote cryptocurrency investments or encourage the launch of Mini Apps, particularly if they request deposits or app downloads. It is advisable for Android users to refrain from sideloading APK files, which are frequently used to distribute malware outside the Google Play Store.
