Telegram Mini Apps Abused for Crypto Scams, Android Malware

Cybersecurity researchers have uncovered a large‑scale fraud operation that exploits Telegram’s Mini App feature to conduct crypto scams, impersonate reputable brands, and deliver Android malware. The campaign leverages the trust associated with Telegram’s platform, making it easier to lure victims into interacting with malicious content.

The attackers host fraudulent mini apps inside Telegram, disguising them as legitimate services such as decentralized‑finance (DeFi) wallets, crypto exchanges, and popular social platforms. Once a user installs the associated APK—often presented as a “special” or “beta” version of a trusted app—the malware silently executes, harvesting sensitive data including contacts, SMS messages, and authentication tokens. The mini apps also funnel victims to phishing pages that request private keys or login credentials under the guise of airdrops and giveaways.

The operation is estimated to have compromised hundreds of thousands of Android devices across multiple regions. Researchers identified thousands of distinct mini apps and dozens of command‑and‑control domains used to exfiltrate stolen information and push additional payloads. The scale of the campaign, combined with the abuse of Telegram’s distribution channel, underscores a significant increase in mobile‑focused threat vectors.

Telegram has been notified and is actively removing the flagged mini apps and associated accounts. In the meantime, security experts advise users to enable two‑factor authentication, verify the authenticity of any app before installation, avoid clicking on unsolicited links within chats, and keep device firmware and security software up to date. Organizations should monitor for unusual network traffic patterns and educate employees about the risks of installing unverified applications, especially those promoted through messaging platforms.