Ciphers Security News FEMITBOT: Telegram Mini Apps Used for Crypto Scams and Android Malware Delivery
News

FEMITBOT: Telegram Mini Apps Used for Crypto Scams and Android Malware Delivery

FEMITBOT: Telegram Mini Apps Used for Crypto Scams and Android Malware Delivery

Researchers at CTM360 have uncovered a large-scale fraud operation, designated FEMITBOT, that weaponizes Telegram Mini Apps to run cryptocurrency advance-fee scams and distribute malicious Android APKs impersonating major global brands. The campaign leverages a shared backend infrastructure identifiable by a distinctive API fingerprint string and simultaneously targets users with financial fraud and device compromise.

FEMITBOT Telegram Mini Apps: Technical Details

FEMITBOT takes its name from the string "Welcome to join the FEMITBOT platform" returned in API responses across all phishing domains, allowing researchers to attribute otherwise disparate operations to a single backend infrastructure. The operation abuses Telegram Mini Apps — lightweight web applications that render inside Telegram’s built-in WebView — to deliver phishing pages without requiring victims to navigate outside the messaging application, lending the attack a veneer of legitimacy.

The campaign operates two distinct attack branches simultaneously:

Crypto advance-fee scam branch:

  • A Telegram bot promotes an investment opportunity or giveaway and instructs users to click “Start”
  • Clicking launches a Mini App that renders a fake trading dashboard inside Telegram’s WebView
  • Victims are shown fabricated cryptocurrency balances, earnings counters, and countdown timers designed to create urgency
  • Withdrawal attempts are blocked; victims are told they must deposit funds or complete referral tasks before withdrawals are processed — a textbook advance-fee model designed to extract real money from victims before they realize the balances are fictional

Android malware delivery branch:

  • The same Mini App infrastructure prompts users to download an APK file
  • APK filenames are crafted to impersonate legitimate applications from recognised brands: BBC, NVIDIA, CineTV, Coreweave, and Claro
  • APKs are hosted on the same domain infrastructure as the phishing backend API
  • Sideloaded APKs bypass Google Play Protect validation, potentially enabling credential theft, device surveillance, or persistent remote access

MITRE ATT&CK techniques observed across the FEMITBOT campaign:

| Technique | ID | Description | |———–|—–|————-| | Phishing (Web) | T1566.002 | Mini App phishing pages served in Telegram WebView | | Phishing for Information | T1598 | Credential and PII harvesting on fake dashboards | | User Execution (Malicious Link) | T1204.001 | Users activate Mini App via bot interaction | | User Execution (Malicious File) | T1204.002 | APK download and device sideload | | Software Discovery | T1518 | Tracking pixels from Meta and TikTok embedded to monitor victim activity |

Exploitation and Threat Landscape

According to BleepingComputer’s analysis of the CTM360 findings, the operation impersonates widely recognized global brands to maximize perceived credibility:

  • Financial and crypto services: MoonPay, IBM
  • Consumer technology and media: Apple, NVIDIA, YouKu
  • Mass-market consumer brands: Coca-Cola, Disney, eBay

The shared API backend — all domains return the identical "Welcome to join the FEMITBOT platform" response — means that what appear to be independent scam operations are all served by a single coordinated platform. Victims interacting with an “Apple”-branded Mini App and those reaching a “Disney”-branded version are routed through the same C2 infrastructure, dramatically reducing the cost of standing up new campaigns while maximising brand impersonation surface.

No specific file hashes, C2 IP addresses, or full domain lists have been publicly disclosed by CTM360 at this time. The primary observable indicator remains the FEMITBOT API response string. CTM360’s original advisory also references a related campaign called TRAP10, which uses the same Telegram Mini App delivery mechanism in a Ponzi-style investment variant distributed via Meta Ads and Telegram Ads, targeting victims through fake social media promotions before routing them into the Mini App.

The use of Telegram as a delivery vector is tactically significant. Telegram’s WebView renders pages in a trusted-looking native context; users are less likely to scrutinise domain names or connection security indicators when interacting with content that appears embedded inside an app they already trust.

Who Is Affected

Any Telegram user who interacts with bots promoting cryptocurrency investment returns, product giveaways, or financial platforms is at risk. The campaign targets a broad geographic footprint given Telegram’s global user base of over 900 million monthly active users.

Android users who sideload APKs sourced from within Telegram sessions face the compounded risk of device-level compromise. iOS users are not directly exposed to the APK delivery branch but remain vulnerable to the phishing and credential harvesting components via the Mini App WebView.

Organisations whose brands are being impersonated — including Apple, NVIDIA, Disney, eBay, and others listed above — face customer credential harvesting and brand reputation damage they have no direct technical mechanism to prevent on a third-party platform.

What You Should Do Right Now

  • Never install APKs delivered through Telegram. All Android applications should be installed exclusively from Google Play Store. Sideloading from any source — including Telegram, browser downloads, or file-sharing links — bypasses Google Play Protect validation and exposes the device to unreviewed code.
  • Treat any Telegram bot promising investment returns as a scam by default. Advance-fee scam mechanics — showing a balance that cannot be withdrawn without a prior deposit — are the defining characteristic of FEMITBOT and TRAP10. Legitimate financial services do not operate through Telegram bots or Mini Apps.
  • Enable Google Play Protect and scan for unknown APKs. Navigate to Google Play > Play Protect > Scan to detect known malicious APKs. Enable “Improve harmful app detection” to submit unknown apps to Google for analysis. Review Settings > Apps for any unrecognised applications, particularly those with names matching major brands but installed from outside Google Play.
  • Report suspicious Telegram bots immediately. Open the bot profile, tap the three-dot menu, select Report, and choose the appropriate category (fraud or spam). Reporting accelerates Telegram’s internal takedown review. Optionally, report to the Telegram abuse portal for formal review.
  • For security teams and brand owners: Monitor Telegram channels and bot listings for unauthorised use of your organisation’s brand assets. Submit takedown requests via Telegram’s abuse portal. Coordinate with threat intelligence vendors capable of monitoring messaging platforms for impersonation infrastructure, and watch for the "Welcome to join the FEMITBOT platform" API string in passive DNS or web crawl data.
  • Check devices that may have already sideloaded APKs. If a user or employee reports installing an app via a Telegram link, treat the device as potentially compromised: run Play Protect, check for unknown apps, revoke saved credentials stored on the device, and consider a factory reset if further compromise is suspected.

Detection and Verification

Network-level detection: Monitor HTTP and HTTPS responses for the API fingerprint Welcome to join the FEMITBOT platform in any response body on a domain not belonging to a recognised financial institution. This string is present in API calls made by Mini App phishing pages and is the most reliable network-observable indicator available.

Proxy and DLP hunting query:


SELECT src_ip, dest_host, uri, response_body_sample
FROM proxy_logs
WHERE response_body_sample LIKE '%FEMITBOT%'
   OR dest_host IN (SELECT domain FROM threat_intel WHERE campaign = 'FEMITBOT')
ORDER BY timestamp DESC

Android device forensics: Check /sdcard/Download/ and /sdcard/Telegram/Telegram Documents/ for APK files with names matching legitimate brand names (e.g., BBC_News.apk, NVIDIA_App.apk, CineTV.apk). Verify package signing certificates against official Play Store listings: FEMITBOT APKs will carry self-signed or unrecognised certificates, not the developer certificates of the brands being impersonated.

Conclusion

FEMITBOT illustrates how Telegram’s own trusted feature infrastructure — Mini Apps and the WebView renderer — becomes the delivery mechanism for both financial fraud and device compromise at scale. Any Telegram bot requesting cryptocurrency deposits or APK downloads should be treated as high-confidence malicious activity; report it, do not engage, and verify through official brand channels before taking any financial action.

For any query contact us at contact@cipherssecurity.com

Tags:

Share This Post:

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

2026 FIFA World Cup Scam Economy: Fake Visas, Counterfeit Tokens, Phishing
News

2026 FIFA World Cup Scam Economy: Fake Visas, Counterfeit

May 5, 2026
ConsentFix v3 Bypasses Azure MFA via Automated OAuth Abuse
News

ConsentFix v3 Bypasses Azure MFA via Automated OAuth Abuse

May 3, 2026
Bluekit Phishing Kit Bundles AI Assistant and 40 Templates for Scalable Campaigns
News

Bluekit Phishing Kit Bundles AI Assistant and 40 Templates

May 3, 2026
Cyber-Enabled Cargo Theft Hit $725M in 2025 as FBI Warns Transportation Sector
News

Cyber-Enabled Cargo Theft Hit $725M in 2025 as FBI

May 2, 2026
30,000 Facebook Business Accounts Compromised via Google AppSheet Phishing Relay
News

30,000 Facebook Business Accounts Compromised via Google AppSheet Phishing

May 2, 2026
AI Industrializes Cybercrime as Mean Time-to-Exploit Hits Negative Seven Days
News

AI Industrializes Cybercrime as Mean Time-to-Exploit Hits Negative Seven

May 1, 2026