Key Findings

• In August 2025, Kaspersky researchers discovered a new Android banking Trojan dubbed "Frogblight" targeting individuals in Turkey.

• The malware initially disguised itself as an app for accessing court case files via an official government webpage, but later adopted more universal disguises like the Chrome browser.

• Frogblight can use official government websites as an intermediary step to steal banking credentials and has spyware capabilities to collect SMS messages, app lists, and device filesystem information.

• The malware is rapidly evolving, with researchers observing frequent updates adding new features throughout September.

• There are potential ties between Frogblight and the notorious Coper banking Trojan, suggesting the operators may be distributing it under a Malware-as-a-Service (MaaS) model.

Background

While performing an analysis of mobile malware, Kaspersky researchers discovered several samples belonging to a new malware family. Despite still being under development, the malware already contained a significant amount of functionality, allowing it to be classified as a banking Trojan.

As new versions of this malware continued to appear, the researchers began closely monitoring its development. They also managed to discover the malware's control panel, and based on the "fr0g" name shown there, dubbed this family "Frogblight".

Initial Infection

The researchers believe that smishing, or SMS phishing, is one of the distribution vectors for Frogblight, with users having to install the malware themselves. They found complaints from Turkish users about phishing SMS messages claiming the user was involved in a court case and containing links to download malware.

Early versions of Frogblight were disguised as an app for accessing court case files via an official government webpage, using the same names as the files for downloading from the links mentioned in the phishing SMS messages.

The researchers also discovered a phishing website that was distributing Frogblight, posing as a website for viewing a court file. The admin panel of this website allowed the threat actors to view statistics on Frogblight downloads, though the counter was not fully implemented.

App Features

The initial Frogblight samples disguised themselves as an app for accessing court case files via an official government webpage. One such sample (9dac23203c12abd60d03e3d26d372253) was analyzed by the researchers.

After being granted the requested permissions, the malware opens the official government webpage for accessing court case files in a WebView, prompting the victim to sign in. If the user chooses to sign in via online banking, Frogblight waits for the banking login page to load and then injects JavaScript code to capture the user's input and send it to the command-and-control (C2) server.

Frogblight also has spyware functionality, allowing it to collect SMS messages, a list of installed apps on the device, and device filesystem information. It can also send arbitrary SMS messages.

Ongoing Development

The researchers observed that Frogblight is under active development, with new features being added throughout September. This may indicate that a feature-rich malware app for Android is being developed, which could potentially be distributed under the MaaS model.

Moreover, the researchers found a GitHub profile containing repositories with Frogblight, which had also created repositories with the Coper malware, which is distributed under the MaaS model. This connection suggests that the operators behind Coper may have expanded their portfolio to include Frogblight.

Sources

• https://securelist.com/frogblight-banker/118440/

• https://securityonline.info/frogblight-android-banking-trojan-targets-turkey-via-fake-e-gov-smishing-and-webview/

• https://malware.news/t/frogblight-threatens-you-with-a-court-case-a-new-android-banker-targets-turkish-users/102575

• https://www.reddit.com/r/SecOpsDaily/comments/1pn20dd/frogblight_threatens_you_with_a_court_case_a_new/

• https://x.com/shah_sheikh/status/2000461924098556387

• https://cometbar.co.uk/node/32266