FEMITBOT the scam hidden in Telegram Mini Apps steals cryptomonedas and distributes malware

Cybersecurity researchers have identified a massive fraud operation that exploits Mini Apps functionality within Telegram to run critical scams, supplant recognized brands and distribute malware for Android. The CTM360 technical report describes a reusable infrastructure - which analysts have labelled by the "FEMITBOT" indicator - capable of offering phishing pages integrated into the app's own experience, making scam more credible and making it difficult for unprevented users to detect. This is not an isolated campaign: it is a multi-channel platform that facilitates repeatable and scalable campaigns according to the analysis shared by the researchers ( CTM360 report).

Telegram Mini Apps are basically light web applications that run in the platform's internal browser and allow you to offer payments, access to accounts or interactive tools without leaving the app. That convenience, which Telegram documents in his official guide, also becomes a risk when malicious actors use the same framework to present fraudulent interfaces with legitimate appearance. You can review how these Mini Apps are designed in the official Telegram documentation ( Telegram Web Apps), to understand why its execution within the WebView is particularly powerful from the point of view of deception.

In the observed campaigns, the typical flow begins with a bot that invites the user to press "Start"; the bot launches a Mini App that loads a phishing page that looks native, shows false balances or "profits," and generates pressure by means of timers or limited offers. When the victim tries to withdraw funds, he is first required to have an additional deposit or to perform reference tasks, classic techniques of fraud in advance. In addition to phishing, some of these Mini Apps push malicious APKS or PWAs downloads that supplant legitimate applications, which introduces a permanent engagement vector into Android devices.

From a technical point of view, operators take advantage of features that reduce alarm signals: they house APIs and APKS under the same domains with valid TLS certificates, use carefully chosen file names for applications and insert Meta or TikTok tracking pixels to measure conversions and optimize campaigns. The result is a fully integrated and reliable experience at first sight - but controlled by cybercriminals - that eludes many simple heuristics of detection.

The implications are multiple. For private users, the main risk is the economic loss and installation of Trojans who steal credentials or control the device. For the platform and the critical ecosystem, these operations erode public confidence and can catalyse more stringent messaging and payment regulations within applications. For security defenders and providers, the re-use of infrastructure and the domain chains provided by these platforms make it more difficult to block campaigns without affecting legitimate services.

In practical terms, there are concrete measures that every user can launch today: do not interact with unknown bots that promise fast returns, do not download or install APKS from links delivered by messaging, and avoid enabling the installation from unknown origins on Android. Google keeps resources on the risks of installing apps outside official stores and how to manage those permissions on Android ( install apps from unknown sources). It is also appropriate to always check official channels of companies before creating a promotion that comes through Telegram and, in the case of critical assets, to prefer hardware portfolios and official contracts for transfers.

Platforms such as Telegram have scope to improve controls: vetoing and certification of Mini Apps, tighter limits for bots that redirect to downloads, automated analysis of APK packages hosted, and proactive collaboration with domain registrators and security forces to overthrow malicious infrastructure. Without platform-level mitigation measures, attackers will continue to exploit the ease of deploying web experiences within messaging apps.

For security teams and content providers, detecting this type of campaign requires looking beyond traditional signatures: correlation of domains that share identical API responses, analysis of embedded WebViews content, and monitoring of tracking pixels on pages of apparent legitimacy. It is also recommended to develop fast channels for users to report suspicious bots and for platforms to act with agility.

The appearance of FEMITBOT highlights a greater trend: the attack surfaces migrate into integrated experiences that seek to exploit the user's contextual confidence. The combination of social engineering, reusable infrastructure and monetization tactics (deposits, affiliates, malware distribution) makes these operations highly profitable and difficult to eradicate. Stay informed, distrust what promises easy money and apply basic security controls on the device are for now the most effective defenses against these scams.