Frogblight Android Banking Trojan Targets Turkey via Fake E-Gov Smishing and WebView
Ddos 
The interface of the sign-in screen for the Frogblight web panel | Image: Kaspersky Labs
A new and evolving Android banking Trojan dubbed “Frogblight” has been discovered targeting individuals in Turkey, masquerading as official government applications to steal sensitive financial data.
The malware, first identified by Kaspersky researchers in August 2025, employs a sophisticated smishing (SMS phishing) strategy. Victims are lured into downloading the malicious app under the guise of accessing court case files, a tactic designed to exploit user urgency and trust in government institutions.
The infection chain typically begins with a deceptive SMS message. “On the internet, we found complaints from Turkish users about phishing SMS messages convincing users that they were involved in a court case and containing links to download malware”.
Once the user clicks the link, they are directed to a phishing site that mimics an official e-government portal. From there, they are prompted to download an application to view their alleged files. “Initially, the malware was disguised as an app for accessing court case files via an official government webpage”.
Upon installation, Frogblight requests a wide array of invasive permissions, including access to SMS messages, contacts, and device storage. “After all required permissions are granted, the malware opens the official government webpage for accessing court case files in WebView, prompting the victim to sign in”. This legitimate login page acts as a decoy while the malware prepares its primary attack: stealing banking credentials.
Frogblight is more than just a credential harvester; it is a comprehensive spyware tool. Researchers noted its capabilities include collecting SMS messages, listing installed apps, and accessing the device’s filesystem. “Moreover, it has spyware functionality, such as capabilities to collect SMS messages, a list of installed apps on the device and device filesystem information”.
Crucially, the malware waits for the user to attempt a banking login. If the user selects a bank for authentication via the government portal, Frogblight intercepts the process. “Frogblight can use official government websites as an intermediary step to steal banking credentials”.
While investigating the infrastructure behind Frogblight, researchers found potential links to another notorious malware family. The threat actors appear to be operating under a Malware-as-a-Service (MaaS) model, where malicious tools are rented out to other criminals.
“We discovered a GitHub profile containing repos with Frogblight, which had also created repos with Coper malware, distributed under the MaaS model”. This connection suggests that the operators behind Coper, a well-known banking Trojan, may have expanded their portfolio to include Frogblight.
The malware is in active development. Throughout September, researchers observed frequent updates adding new capabilities, such as WebSocket communication for faster command execution and emulator detection to evade security analysis.
This rapid iteration cycle indicates that the threat actors are refining their tool for broader or more damaging campaigns. “This may indicate that a feature-rich malware app for Android is being developed, which might be distributed under the MaaS model”.
Kaspersky researchers conclude that while the current campaign is focused on Turkey, the malware’s modular nature and MaaS potential make it a significant threat. “It can be made more dangerous by the fact that it may be used by attackers who already have experience distributing malware”.
Donate