A fraud operation is using Telegram Mini Apps to impersonate brands, run crypto scams, and deliver Android malware.
A Telegram feature built for convenience is being used in the opposite direction: to lure users into crypto fraud and push malicious Android apps.
Misryoum reports that cybersecurity researchers have uncovered a large-scale scam operation that relies on Telegram’s Mini Apps. These Mini Apps are lightweight web applications that run inside Telegram’s built-in browser, letting services feel integrated while users stay within the messaging app.
The campaign, described under the name FEMITBOT, appears to reuse a shared backend and specific signals embedded in API responses. By coupling Telegram bots with embedded Mini Apps, the operators can present phishing pages and “app-like” dashboards that look legitimate at first glance.
A key detail is how the deception plays out inside Telegram itself.. When a user taps a bot and selects the “Start” option. the bot opens a Mini App in Telegram’s WebView. presenting the scam experience as if it’s part of the platform.. From there. victims are steered toward fake balances or “earnings. ” often reinforced with urgency cues that push people to act quickly.
Misryoum notes that the scam flow mirrors common advance-fee and investment fraud patterns: when users try to withdraw. they’re typically asked to pay deposits or complete referral-style tasks before money can be accessed.. The operation is also described as flexible. allowing attackers to swap branding and themes across campaigns while keeping the same underlying infrastructure.
Why this matters: Telegram Mini Apps can blur the line between a normal in-app experience and a web page designed to manipulate users, which makes social engineering more effective even for people who think they are staying “inside” a trusted app.
Beyond scams, the same ecosystem has also been used to attempt Android malware delivery.. Some Mini Apps reportedly encourage users to download APK files or install web-based experiences that mimic legitimate apps.. Several of the impersonations referenced in the campaign include well-known names, used to reduce skepticism and increase click-through.
Misryoum advises users to be especially cautious with Telegram bots that promote crypto investments or prompt Mini App launches tied to deposits or “limited-time” incentives. As a general security habit for Android, sideloading APK files from untrusted sources remains a major risk route for malware.
Final insight: the real challenge is not just the malicious content, but the frictionless path that brings it to the victim, using a familiar messaging interface to make the scam feel ordinary.