FEMITBOT campaign abuses Telegram Mini Apps for crypto scams and Android malware delivery

First reported

03.05.2026 17:11

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A large-scale fraud operation named FEMITBOT has been identified abusing Telegram’s Mini App feature to conduct cryptocurrency scams, impersonate major brands, and distribute Android malware. The operation leverages Telegram bots and embedded Mini Apps to create app-like phishing experiences directly within the messaging platform’s built-in browser. Threat actors impersonate well-known brands such as Apple, Coca-Cola, Disney, eBay, IBM, Moon Pay, NVIDIA, and YouKu to increase credibility, while using a shared backend infrastructure across multiple campaigns. Victims are presented with fake investment dashboards, urgency-driven prompts, and malware-hosting APKs disguised as legitimate applications.

Timeline

03.05.2026 17:11 1 articles · 2h ago

FEMITBOT campaign abuses Telegram Mini Apps for crypto scams and Android malware delivery
Threat actors launched a multi-brand phishing and malware campaign using Telegram Mini Apps to deploy fake investment dashboards and impersonate legitimate brands. The infrastructure supports centralized control across campaigns, distributes malicious APKs via in-app prompts, and integrates tracking pixels for campaign optimization. APKs are hosted on domains with valid TLS certificates to avoid browser warnings and use filenames mimicking legitimate software.
Show sources

Telegram Mini Apps abused for crypto scams, Android malware delivery — www.bleepingcomputer.com — 03.05.2026 17:11
Open in new tab

Information Snippets

The FEMITBOT platform uses Telegram Mini Apps, lightweight web applications running in Telegram’s built-in browser, to deliver phishing pages and malicious APKs without requiring users to leave the app.
First reported: 03.05.2026 17:11

1 source, 1 article
Show sources
- Telegram Mini Apps abused for crypto scams, Android malware delivery — www.bleepingcomputer.com — 03.05.2026 17:11
Threat actors impersonate major brands including Apple, Coca-Cola, Disney, eBay, IBM, Moon Pay, NVIDIA, and YouKu to enhance the credibility of phishing campaigns and malware distribution.
First reported: 03.05.2026 17:11

1 source, 1 article
Show sources
- Telegram Mini Apps abused for crypto scams, Android malware delivery — www.bleepingcomputer.com — 03.05.2026 17:11
FEMITBOT employs a shared backend infrastructure where multiple phishing domains return the same API response: "Welcome to join the FEMITBOT platform," indicating centralized control across campaigns.
First reported: 03.05.2026 17:11

1 source, 1 article
Show sources
- Telegram Mini Apps abused for crypto scams, Android malware delivery — www.bleepingcomputer.com — 03.05.2026 17:11
Victims are shown fake investment dashboards with counterfeit balances or earnings, often coupled with countdown timers or limited-time offers to create urgency and coerce deposits or referrals.
First reported: 03.05.2026 17:11

1 source, 1 article
Show sources
- Telegram Mini Apps abused for crypto scams, Android malware delivery — www.bleepingcomputer.com — 03.05.2026 17:11
Malware distribution involves Android APKs hosted on the same domains as the API endpoints, using TLS certificates to avoid browser warnings and filenames designed to resemble legitimate applications (e.g., BBC, NVIDIA, CineTV, Coreweave, Claro).
First reported: 03.05.2026 17:11

1 source, 1 article
Show sources
- Telegram Mini Apps abused for crypto scams, Android malware delivery — www.bleepingcomputer.com — 03.05.2026 17:11
Tracking scripts such as Meta and TikTok pixels are injected into phishing pages to monitor user activity, measure conversions, and optimize campaign performance.
First reported: 03.05.2026 17:11

1 source, 1 article
Show sources
- Telegram Mini Apps abused for crypto scams, Android malware delivery — www.bleepingcomputer.com — 03.05.2026 17:11