Kaspersky security researchers have uncovered a sophisticated Android banking Trojan called Frogblight that targets Turkish users by impersonating legitimate government applications.
First detected in August 2025, this advanced malware combines banking credential theft with extensive spyware functionality, marking a significant threat to mobile users in the region.
The malware employs a deceptive social engineering approach, initially masquerading as an application for accessing court case files via official Turkish government portals.
Kaspersky researchers discovered that Frogblight uses smishing (SMS phishing) as a primary distribution vector, with victims receiving fraudulent messages claiming they are involved in legal proceedings and prompting them to download what appears to be a legitimate government application.
Once installed, Frogblight employs a clever technique to steal banking credentials. The malware opens the legitimate Turkish government webpage for court file access within its WebView component, then requests excessive permissions including SMS read/write access, file system access, and device information collection.
When users attempt to log in through online banking options, Frogblight injects malicious JavaScript code to capture all user input data and transmit it to its command and control (C2) servers.
The malware requests an alarming array of 24 different device permissions, ranging from SMS management and accessibility services to contact access and battery optimization bypass.
This comprehensive permission set enables the threat actor to gain near-complete control over infected devices.
Evolving Threat Landscape
Kaspersky’s analysis revealed that Frogblight underwent continuous development throughout September 2025, with successive variants introducing new capabilities.
Later versions disguised themselves as the Chrome browser and implemented additional spyware features including contact list exfiltration, call log collection, and keystroke recording through a custom keyboard service.
The most recent samples employ WebSocket connections instead of REST APIs for C2 communication, indicating active development toward a fully operational malware platform.
The malware includes geofencing capabilities that prevent execution in the United States and detect emulator environments, suggesting sophisticated operators behind its development.
Malware-as-a-Service Model
Evidence suggests Frogblight may be distributed under a Malware-as-a-Service (MaaS) model.
Kaspersky researchers discovered an accessible web administration panel that allows threat actors to sort victim devices by parameters such as installed banking applications and execute bulk SMS operations.
The malware’s authentication system using special keys for WebSocket connections supports this distribution model.
While a definitive attribution remains impossible at this time, researchers found strong connections between Frogblight and the Coper malware family on GitHub, both managed by related threat actor accounts.
Code comments written in Turkish suggest the malware developers are native Turkish speakers.
Kaspersky has provided multiple indicators of compromise including seven APK file hashes, C2 domains, IP addresses, and distribution URLs to assist security professionals and organizations in identifying and blocking this threat.
Kaspersky products detect Frogblight variants as HEUR:Trojan-Banker.AndroidOS.Frogblight.*, HEUR:Trojan-Banker.AndroidOS.Agent.eq, and related signatures.
Turkish users should exercise extreme caution with unsolicited SMS messages regarding legal proceedings and avoid downloading applications from unofficial sources.
Installing security applications and maintaining current device patches remain critical defense measures against this emerging threat.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.