Malware disguised as games is attacking Android devices via Telegram.
Cybersecurity firm F6 has uncovered a large-scale malware distribution scheme on Telegram, where modified mobile games and apps for Android are used as a cover. Cybercriminals create themed channels dedicated to popular children’s games such as Roblox, Minecraft, Brawl Stars, and others, where they post links to so-called “mods,” cheats, and cracked versions of apps.
One such channel, titled “Roblox Mods” and boasting around 245,000 subscribers, offers modifications like “fly,” “high jump,” and “walk through walls” for Roblox. It also advertises TikTok versions with no ads or restrictions. After clicking the provided link, users are redirected to a Telegram bot that first asks them to subscribe to several channels before offering an APK file for download.
In reality, the file contains malware targeting Android devices. It is capable of stealing sensitive data, including banking information, login credentials, and passwords. It can also execute remote commands, alter system settings, and install additional components without the user’s consent.
The scheme has been actively exploited — the bot has been used by over 570,000 people in just one month. Links to it are promoted across other Telegram channels themed around games like Subway Surfers, Standoff 2, and more. The name of the file adapts to match the theme of the channel the user came from, increasing the illusion of legitimacy.
Scammers leverage the popularity of free “mods” and in-game perks to lure in children and teenagers who are unaware of the malware risks. In addition to fake mods, they also offer “free currency,” “giveaways,” and “cracks,” which often hide malicious code.
F6 has submitted a report on this malicious activity to Telegram, requesting the blocking of the bots involved.