Scammers used Telegram's built-in mini-apps to impersonate Apple, NVIDIA, and Disney for crypto fraud and Android malware - all running on the same backend

CTM360 disclosed a large-scale fraud platform called FEMITBOT that uses Telegram's Mini App feature to host crypto scams, impersonate major brands, and distribute Android malware. The platform impersonates Apple, Coca-Cola, Disney, eBay, IBM, NVIDIA, BBC, and others - all backed by the same shared infrastructure identified by a common API response. The mini-apps display fake balances, countdown timers, and limited-time offers inside Telegram's WebView. Some campaigns push fake Android APKs hosted on the same domain as the API to ensure valid TLS certificates. Meta and TikTok tracking pixels measure conversion rates.

Check

Brief staff that any Telegram bot promoting cryptocurrency investments, asking them to deposit funds, or prompting them to install an APK is fraud - regardless of which brand the bot claims to represent.

Affected

Telegram users worldwide who interact with bots claiming to represent major brands. Acute risk for cryptocurrency-curious users targeted by 'investment opportunity' lures, and for Android users sideloading APKs from Telegram-shared links. Organizations whose brand is being impersonated face customer-trust damage even though the breach is in user behavior, not company systems.

Fix

Block sideloading of APKs on managed Android devices and require Google Play Protect to remain enabled. For brand protection teams: monitor Telegram for bots using your company name and report via Telegram's official channels - though the platform's Mini App vetting is essentially nonexistent so reactive moderation is the only path. Treat any 'official' Telegram bot as unverified by default.