Newsletters
Security researchers have discovered a new Android banking Trojan dubbed "Frogblight" that targets users in Türkiye by disguising itself as an app for accessing court case files through official government webpages, according to a report published by Kaspersky's Securelist on Monday.
"In August 2025, we discovered a campaign targeting individuals in Türkiye with a new Android banking Trojan we dubbed 'Frogblight,'" the report stated.
"Initially, the malware was disguised as an app for accessing court case files via an official government webpage. Later, more universal disguises appeared, such as the Chrome browser, the report noted.
Frogblight exploits official government websites as an intermediary step to harvest victims' banking credentials.
"Frogblight can use official government websites as an intermediary step to steal banking credentials," the researchers said.
"Moreover, it has spyware functionality, such as capabilities to collect SMS messages, a list of installed apps on the device, and device filesystem information. It can also send arbitrary SMS messages," the report added.
After the victims grant the requested permissions, the malware opens the official government webpage for accessing court case files in WebView, prompting the victim to sign in.
When users choose the online banking sign-in option, Frogblight waits two seconds, then forces the online banking method regardless of user choice, injecting JavaScript code to capture user input and send it to command and control servers.
Kaspersky researchers believe smishing is one of the primary distribution vectors, with users installing the malware themselves after receiving phishing SMS messages.
"On the internet, we found complaints from Turkish users about phishing SMS messages convincing users that they were involved in a court case and containing links to download malware," the report stated.
The researchers discovered one of the phishing websites distributing Frogblight, which disguises itself as a website for viewing court files.
The source code for this phishing website was found available in a public GitHub repository, adapted for fast deployment to Vercel, a platform for hosting web apps.
Researchers observed Frogblight being updated with new features throughout September, suggesting active development of a feature-rich malware application.
"This may indicate that a feature-rich malware app for Android is being developed, which might be distributed under the Model as a Service (MaaS) model," the report stated.
Later versions added new capabilities, including a custom input method for recording keystrokes, geofencing techniques to avoid detection, and emulator checks that shut down the malware if running in the United States or on emulated devices.
The threat actors also transitioned from REST APIs to WebSocket communication for command transmission. At the IP address used for WebSocket connections, researchers found the Frogblight web panel accessible with an authentication key.
"Judging by the menu options, the threat actor can sort victims' devices by certain parameters, such as the presence of banking apps on the device, and send bulk SMS messages and perform other mass actions," the report stated.
During analysis, researchers discovered a GitHub profile containing repositories with Frogblight that had also created repositories with Coper malware, which is a stealthy and sophisticated banking Trojan that targets Android devices distributed under the MaaS model.
"This profile may belong to the attackers distributing Coper, who have also started distributing Frogblight," the researchers noted.
The malware is detected by Kaspersky products as HEUR:Trojan-Banker.AndroidOS.Frogblight.*, HEUR:Trojan-Banker.AndroidOS.Agent.eq, HEUR:Trojan-Banker.AndroidOS.Agent.ep and HEUR:Trojan-Spy.AndroidOS.SmsThief.de.
Based on telemetry data, the majority of users attacked by Frogblight are located in Türkiye.
1 min read
1 min read
