Telegram mini apps used in large-scale crypto scams and malware distribution

A large-scale fraud operation is leveraging Telegram's Mini App feature to conduct cryptocurrency scams, impersonate well-known brands, and distribute Android malware. This operation, identified as FEMITBOT, utilizes Telegram bots and embedded Mini Apps to create convincing, app-like experiences directly within the messaging platform, with further coverage provided by Bleeping Computer.

The FEMITBOT platform facilitates various scams, including fake cryptocurrency, financial services, AI tools, and streaming sites. Threat actors impersonate major brands like Apple, Coca-Cola, and Disney to enhance credibility. The operation uses a shared backend infrastructure with consistent API responses, allowing for easy switching of branding and languages across different campaigns. Users interacting with malicious bots are presented with phishing pages within Telegram's built-in browser, often displaying fake balances and urgent offers.

To withdraw funds, victims are prompted to deposit money or complete referral tasks. Some campaigns also distribute Android malware disguised as legitimate applications, urging users to download APK files or install progressive web apps. Tracking scripts from Meta and TikTok are employed to monitor user activity and optimize campaign performance.

Source: Bleeping Computer