Telegram Mini Apps Fuel Crypto Scams, Android Malware Campaign

Executive Summary

Researchers have identified a large-scale fraud operation exploiting Telegram's Mini App feature to perpetrate cryptocurrency scams, brand impersonation, and Android malware distribution. According to a report from BleepingComputer (May 3, 2026), the campaign involves over 100 fraudulent Mini Apps that mimic legitimate services such as crypto exchanges, wallet providers, and investment platforms. Victims are lured through social media ads and Telegram channels, then directed to Mini Apps that either steal credentials, drain cryptocurrency wallets, or install Android malware including SpyNote and ERMAC.

Technical Analysis

Telegram's Mini App platform allows third-party developers to build lightweight web applications that run inside the Telegram client, accessible via inline buttons or bot interfaces. The attackers registered multiple Telegram bots and configured them to serve Mini Apps that replicate the login pages of well-known crypto brands. Once a user enters credentials or connects a wallet, the data is exfiltrated to attacker-controlled servers. In some variants, the Mini App prompts the user to download an APK file under the guise of a security update or trading tool. The downloaded payloads analyzed by researchers include SpyNote (a remote access trojan for Android) and ERMAC (a banking trojan targeting crypto wallet apps).

BleepingComputer reports that the operation employs a tiered infrastructure: Telegram bots act as initial contact points, Mini Apps host the phishing or malware delivery interface, and backend servers collect stolen data or command infected devices. The campaign appears financially motivated, with losses estimated in the hundreds of thousands of dollars based on victim reports in Telegram groups and blockchain analysis. The researchers noted that Telegram's Mini App review process was bypassed by using short-lived bot tokens and frequently rotating domains, making takedown efforts challenging.

Mitigations & Recommendations

Defenders should advise users to avoid clicking on unsolicited Telegram bot links or Mini App invitations, especially those promising high-yield crypto investments or requiring APK downloads. Organizations in the cryptocurrency sector should monitor for brand impersonation in Telegram Mini Apps and report fraudulent bots to Telegram's abuse team. Android users should disable installation from unknown sources in system settings and verify app signatures before sideloading. Security teams can deploy network-level blocking of known C2 domains associated with SpyNote and ERMAC campaigns, and implement user awareness training focused on Telegram-based social engineering tactics.