FEMITBOT abuses Telegram Mini Apps for crypto scams and Android malware

CTM360 has identified a sprawling fraud platform, internally branded FEMITBOT, that weaponizes Telegram’s Mini App feature to deliver phishing pages and Android malware inside the messenger’s native WebView. Operators run bots that, on a single tap of Start, render fake dashboards impersonating Apple, Disney, eBay, IBM, NVIDIA, Moon Pay and others — complete with fabricated balances, countdown timers, and withdrawal prompts that funnel victims into deposit and referral traps typical of advance-fee schemes.

The infrastructure is multi-tenant by design: dozens of phishing domains share a common backend, betrayed by the recurring API response “Welcome to join the FEMITBOT platform,” letting operators swap branding, language, and vertical (crypto, AI tools, streaming, finance) without rebuilding. Meta and TikTok tracking pixels are embedded to measure conversion and tune campaigns. A subset of Mini Apps push Android APKs hosted on the same TLS-valid domain as the API, sidestepping mixed-content warnings and impersonating apps from the BBC, NVIDIA, CineTV, Coreweave, and Claro.

The takeaway for defenders is that Telegram’s in-app browser is now a credible phishing surface that inherits the trust users place in the messenger itself. Mini Apps soliciting deposits, referrals, or APK downloads should be treated as hostile by default, and sideloading remains the dominant delivery vector for the malware payloads.