Cybersecurity researchers have identified a massive fraud operation named FEMITBOT that leverages Telegram’s Mini App feature to execute cryptocurrency scams and distribute Android malware. By utilizing the platform's lightweight web application capabilities, threat actors create highly convincing, app-like experiences that impersonate global brands like NVIDIA, Apple, and Coca-Cola. The operation uses a shared backend infrastructure to launch phishing pages directly within Telegram's built-in browser, tricking users into depositing funds or downloading malicious APKs.
The campaign creates a sense of urgency through fake dashboards showing "earnings" and countdown timers, typical of investment and advance-fee scams. Additionally, some Mini Apps prompt users to install malicious Android packages hosted on the same domains as the phishing APIs to avoid security warnings. This infrastructure allows attackers to rapidly switch themes and languages, making the operation both scalable and difficult to track across different regions.
Top comments (0)