Telegram Mini Apps used in FEMITBOT crypto scam and Android malware campaign 2026.

FEMITBOT Abuses Telegram Mini Apps for Crypto Scams and Android Malware

telegram mini apps used in femitbot crypto scam and android malware campaign 2026.

A new fraud platform called FEMITBOT is hijacking Telegram’s Mini App feature to run convincing crypto scams, impersonate household-name brands, and push Android malware to people who think they’re still inside a trusted messaging app. The platform was identified in a May 2026 advisory by Bahrain-based cybersecurity firm CTM360, which says the same backend infrastructure powers fake versions of Apple, Disney, NVIDIA, IBM, eBay, Coca-Cola, MoonPay, and YouKu, all served through Telegram bots that load full phishing pages inside Telegram’s built-in WebView.

The trick works because the user never visibly leaves Telegram. The Mini App slides up like a native sheet, shows a polished dashboard with fake balances and countdown timers, and pushes the victim toward a deposit, a referral task, or, on Android, an APK download dressed up as a legitimate brand app.

FEMITBOT got its name from a fingerprint hidden in plain sight. Researchers found the same API response, “Welcome to join the FEMITBOT platform,” echoing across dozens of unrelated phishing domains, proving they share one shadow operator behind many faces.

Inside the FEMITBOT Phishing Engine

FEMITBOT is not a single bot. It is a kit, designed to be re-skinned in minutes. CTM360 says the operators run a shared backend that lets them swap out branding, language, and theme, then point a fresh Telegram bot at the same API to spin up a new “investment platform” overnight.

Once a victim taps Start inside the bot, Telegram launches the Mini App in its own WebView. That WebView inherits the trust of the host app, so the page loads without the address-bar friction or browser warnings that usually save people on the open web. The result is a phishing surface that looks, scrolls, and behaves like a real Telegram product.

“Telegram’s platform currently lacks a robust vetting process for Mini Apps, enabling attackers to publish malicious apps without prior review,” Kaspersky researchers wrote in a Securelist analysis of Mini App phishing.

The infrastructure also leans on Meta and TikTok tracking pixels embedded inside the Mini Apps, which let the operators measure conversions and A/B-test their lures the same way a real performance-marketing team would.

Telegram Mini Apps used in FEMITBOT crypto scam and Android malware campaign 2026.
Telegram Mini Apps used in FEMITBOT crypto scam and Android malware campaign 2026.

The Brands Wearing Borrowed Logos

Brand impersonation is the engagement engine. FEMITBOT campaigns dress the scam as something a casual user would already trust, then ride that trust into a deposit screen.

Brands CTM360 has flagged in active FEMITBOT lures include:

  • Apple. Used to front fake “AI tools” and rewards platforms that ride the iPhone halo.
  • NVIDIA. Front for sham GPU-mining and AI-revenue dashboards aimed at retail crypto holders.
  • Disney, BBC, and YouKu. Turned into fake streaming and subscription portals.
  • Coca-Cola, eBay, IBM. Repurposed as bait for “corporate partnership” investment programs.
  • MoonPay. Cloned to give the crypto on-ramp a familiar logo before the deposit step.
  • CineTV, Coreweave, Claro. Used as cover names on the Android APK side of the operation.

How the Trap Springs

The flow is engineered to feel less like a phishing site and more like a regular onboarding journey, which is exactly why it converts.

  1. Bait. Victim sees a Telegram or Meta ad, a forwarded message, or a referral link from someone in their contacts.
  2. Bot. Tapping the link opens a Telegram bot. The user clicks Start because it looks like a normal verification step.
  3. Mini App. The bot launches a WebView that fills the screen with a dashboard for a brand the user recognises.
  4. Hook. The dashboard shows a fake balance, a countdown timer, or a “limited slots” banner to manufacture urgency.
  5. Deposit. When the victim tries to withdraw the fake earnings, the app demands a small crypto deposit or a referral task to “unlock” the wallet.
  6. Lock-out. Withdrawals never clear. Support stops responding. The bot is replaced with a new clone the next day.

It is the same advance-fee playbook that has run on websites for two decades, repackaged for an audience that no longer types URLs.

APKs Disguised as Trusted Apps

The crypto angle gets the headlines, but the Android side is the more dangerous half of FEMITBOT. CTM360 found Mini Apps quietly pushing APK downloads dressed up as the BBC, NVIDIA, CineTV, Coreweave, and Claro mobile apps.

The APKs are hosted on the same domain as the API, so the install link carries a valid TLS certificate and never triggers a mixed-content warning. To a user who has been told all morning by a polished dashboard that they are dealing with NVIDIA, the green padlock is the last reassurance they need.

Filenames are picked to slip past suspicion. Some imitate real brand strings. Others use random-looking identifiers that read like a legitimate build number. Either way, the user is asked to enable installation from unknown sources, the one switch that most consumer Android phishing depends on.

That switch is also why Google is rewriting the rules. Google’s August 2025 Developer Verification announcement requires every app installed on a certified Android device to be tied to a verified developer identity, with the first wave landing in Brazil, Indonesia, Singapore, and Thailand in September 2026, markets chosen specifically because they see higher fraud-app rates.

Why This Lands at Exactly the Wrong Moment

Telegram is the ideal stage for this kind of scam right now because the Mini App layer is mature enough to feel native, but governance has not caught up. The platform crossed 500 million Mini App users in 2024 and stabilised between 150 and 190 million monthly active Mini App users through 2025, according to industry tracking. That is a pool of people who are already comfortable doing payments, sign-ups, and KYC inside Telegram itself.

The financial damage from the broader Telegram fraud surface is no longer marginal:

  • $11.4 billion. Crypto-related fraud losses reported to the FBI’s Internet Crime Complaint Center in 2025, a 22% jump over 2024 and a record, per the bureau’s 2025 Internet Crime Report announcement.
  • $200 million-plus. Losses tied specifically to Telegram-based fraud in 2025, with scam activity on the platform up 43% year over year.
  • 43.5 million. Groups and channels Telegram blocked in 2025 for scam-related activity, with daily takedowns rising from roughly 30,000 to as many as 140,000 after Pavel Durov’s 2024 arrest.
  • 266 million. Risky install attempts blocked by Google Play Protect in 2025, per Google’s February 2026 Android safety review, which also found internet-sideloaded apps carry over 50 times the malware rate of Play Store apps.

Spotting a Mini App Scam Before It Costs You

The single best defence is to treat any Telegram bot that talks about money the same way you would treat a cold call from a stranger. Specifically, watch for:

  • A Mini App that shows you a balance you did not earn, then asks for a deposit to release it.
  • Countdown timers, referral quotas, or “VIP slots” that exist only to rush you.
  • An APK download offered inside the Mini App, especially one labelled with a major brand. Real brands ship through the Play Store, not a Telegram bot.
  • A bot promoting a household name like Apple or Disney for a financial product. Those companies do not run yield programs on Telegram.
  • A request to enable installation from unknown sources to “continue.”

This is the same red-flag set CTM360 has been logging across related campaigns. Its earlier TRAP10 Mini App scam advisory documented an almost identical Ponzi loop, and CTM360’s wider threat intelligence report library shows the FEMITBOT pattern is part of a broader pivot toward in-app phishing surfaces that bypass browser warnings.

Frequently Asked Questions

What is FEMITBOT and how was it discovered?

FEMITBOT is the name CTM360 gave to a Telegram-based fraud platform after spotting the recurring API response “Welcome to join the FEMITBOT platform” across dozens of phishing domains. The May 2026 advisory found the same backend powers fake brand experiences for Apple, NVIDIA, Disney, IBM, MoonPay, and others, all served through Telegram Mini Apps.

Are Telegram Mini Apps themselves dangerous?

Mini Apps are a legitimate feature used by payment services, games, and productivity tools inside Telegram. The risk comes from Telegram’s limited vetting before a Mini App goes live, which lets fraudsters publish phishing pages that load inside the trusted Telegram WebView with no address-bar warnings.

How do I uninstall a malicious APK installed from a Telegram Mini App?

Boot the phone into safe mode, open Settings, go to Apps, and remove the suspicious app along with any device administrator permissions it may have requested. Run Google Play Protect, change passwords for any banking, email, and crypto exchange apps used on the device, and contact your bank if you entered card details into the Mini App.

Can FEMITBOT steal money even if I never installed an APK?

Yes. The crypto side of the operation does not need an APK at all. Once a victim deposits cryptocurrency into the wallet shown by the Mini App, the funds are gone. The platform then locks the withdrawal flow behind further deposits or referral tasks until the victim stops paying.

Will Google’s 2026 Android changes stop scams like this?

They will narrow it. From September 2026 onward, certified Android devices in Brazil, Indonesia, Singapore, and Thailand will only run apps tied to a verified developer identity, with global rollout to follow. Sideloaded APKs from unverified developers, the exact distribution channel FEMITBOT uses, become harder to install and easier to attribute.

Is Telegram doing anything about Mini App scams?

Telegram blocked 43.5 million groups and channels in 2025 for scam activity and ramped up daily takedowns to as many as 140,000 after CEO Pavel Durov’s 2024 arrest in France. The platform has not yet introduced a pre-publication review process for Mini Apps, which is the gap researchers say enables most of the fraud.

Until that gap closes, the safest assumption is the simplest one. If a Telegram bot offers free money, instant returns, or a download that sounds too convenient, it is almost certainly FEMITBOT or one of its cousins, wearing a logo it has no right to use. The fastest way to protect yourself is to back out of the Mini App, block the bot, and report it from inside Telegram so the next person who sees it gets a head start you did not.