A sophisticated Android banking Trojan named Frogblight has emerged as a significant threat targeting Turkish users, employing deceptive tactics to steal banking credentials and personal data.
Discovered in August 2025, this malware initially disguised itself as an application for accessing court case files through official government portals before evolving into more generic forms mimicking popular applications like Chrome.
The malware operates through a well-coordinated social engineering approach. Victims receive phishing SMS messages falsely claiming involvement in court cases, with links directing them to fake government websites designed to distribute the malicious application.
Once installed, Frogblight requests access to sensitive permissions, including SMS read and write capabilities, storage access, and device information retrieval.
The deception continues when users launch the app, as it displays legitimate government webpages through an embedded browser view to create a false sense of authenticity.
.webp "New Android Malware Frogblight Mimics as Official Government Websites to Collect SMS and Device Details 2")
Securelist analysts identified that Frogblight operates as a multifunctional threat with banking theft capabilities combined with extensive spyware functions.
The malware actively monitors and records SMS messages, tracks installed applications, monitors the device filesystem, and can send arbitrary text messages to external contacts.
Perhaps most concerning, the malware demonstrates active development, with new features added throughout September 2025, suggesting potential distribution under a Malware-as-a-Service model.
The Injection Mechanism and Command Architecture
The core infection mechanism relies on JavaScript code injection within the compromised WebView environment. When users interact with the fake government portal displayed inside the malicious application, Frogblight silently captures all user inputs.
%20and%20after%20launching%20(right)%20(Source%20-%20Securelist).webp "New Android Malware Frogblight Mimics as Official Government Websites to Collect SMS and Device Details 4")
The malware specifically targets online banking sign-in attempts by automatically initiating banking login screens after a brief two-second delay, regardless of user selection.
Communication with the command-and-control server occurs through REST API calls using the Retrofit library, with the malware pinging its controller every two seconds when active.
Early versions used REST API endpoints handling tasks like fetching outbox messages, acknowledging command execution, and uploading stolen files and data.
Later variants transitioned to WebSocket connections using JSON-formatted commands for enhanced stealth and persistence.
The malware implements sophisticated persistence mechanisms through multiple Android services. The AccessibilityAutoClickService prevents application removal while opening attacker-specified websites.
The PersistentService handles ongoing command-and-control interactions, while the BootReceiver ensures malware persistence after device restarts through job scheduling and alarm configuration.
.webp "New Android Malware Frogblight Mimics as Official Government Websites to Collect SMS and Device Details 5")
Frogblight demonstrates additional evasion techniques by detecting emulator environments and geofencing mechanisms that disable functionality in the United States.
The application icon changes to “Davalarım” (a Turkish phrase) on newer Android versions while remaining hidden on older systems.
Detection signatures include HEUR:Trojan-Banker.AndroidOS.Frogblight and related variants in Kaspersky products, helping security teams identify and block this emerging threat.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
