FEMITBOT uses Telegram Mini Apps to deliver Android malware
CTM360 researchers found FEMITBOT runs Telegram Mini Apps that host fake crypto dashboards, impersonate brands and prompt users to sideload APKs that contain Android malware.
Security firm CTM360 found that operators behind FEMITBOT use Telegram bots to open embedded Mini Apps inside Telegram’s WebView and present fake crypto investment dashboards to targets. The Mini Apps load and run inside the messaging app rather than sending victims to an external browser.
When a user taps “Start” on a malicious bot, the Mini App displays a dashboard with fabricated account balances, earnings and countdown timers. Attempts to withdraw purported funds trigger requests for real-money deposits or completion of referral tasks, a pattern consistent with advance-fee and pig-butchering scams.
CTM360’s analysis shows the operation uses a modular, template-driven backend that allows operators to change branding, language and visual themes while keeping the same infrastructure. Researchers identified a shared API response string, “Welcome to join the FEMITBOT platform,” across multiple phishing domains. Campaigns impersonated crypto firms including Bitget, OKX, Binance and MoonPay and ran in several languages.
Some Mini Apps include conversion-tracking mechanisms tied to Meta Platforms and TikTok. CTM360 observed tracking pixels embedded in certain Mini Apps to monitor user actions and measure how many visitors convert into paying victims.
Several FEMITBOT Mini Apps distribute Android installation files. CTM360 found APKs masquerading as apps from Netflix, BBC, NVIDIA, CineTV, Coreweave and Claro. The APK files were hosted on the same domains used for the phishing APIs and served with valid TLS certificates, which reduces browser security warnings.
Victims are asked to sideload the APKs, open links inside the app’s built-in browser or install progressive web apps that resemble legitimate software. Because the files bypass the Google Play Store, the researchers identified an increased risk for Android users when they install packages from outside official stores.
CTM360 noted that hosting, certificate management and domain reuse were used to make downloads appear legitimate. The researchers advise that offers promising unrealistic returns, countdowns demanding immediate action, withdrawal steps that require deposits or referrals, and requests to install APKs from outside official app stores are indicators of fraud.
Content on BlockPort is provided for informational purposes only and does not constitute financial guidance.
We strive to ensure the accuracy and relevance of the information we share, but we do not guarantee that all content is complete, error-free, or up to date. BlockPort disclaims any liability for losses, mistakes, or actions taken based on the material found on this site.
Always conduct your own research before making financial decisions and consider consulting with a licensed advisor.
For further details, please review our Terms of Use, Privacy Policy, and Disclaimer.
Articles by this author
