{"id":177,"date":"2025-12-19T09:15:25","date_gmt":"2025-12-19T09:15:25","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/frogblight-threatens-you-with-a-court-case-a-new-android-banker-targets-turkish-users\/"},"modified":"2025-12-19T09:15:25","modified_gmt":"2025-12-19T09:15:25","slug":"frogblight-threatens-you-with-a-court-case-a-new-android-banker-targets-turkish-users","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/frogblight-threatens-you-with-a-court-case-a-new-android-banker-targets-turkish-users\/","title":{"rendered":"Frogblight threatens you with a court case: a new Android banker targets Turkish users"},"content":{"rendered":"
\n

\"\"<\/p>\n

In August 2025, we discovered a campaign targeting individuals in Turkey with a new Android banking Trojan we dubbed \u201cFrogblight\u201d. Initially, the malware was disguised as an app for accessing court case files via an official government webpage. Later, more universal disguises appeared, such as the Chrome browser.<\/p>\n

Frogblight can use official government websites as an intermediary step to steal banking credentials. Moreover, it has spyware functionality, such as capabilities to collect SMS messages, a list of installed apps on the device and device filesystem information. It can also send arbitrary SMS messages.<\/p>\n

Another interesting characteristic of Frogblight is that we\u2019ve seen it updated with new features throughout September. This may indicate that a feature-rich malware app for Android is being developed, which might be distributed under the MaaS model.<\/p>\n

This threat is detected by Kaspersky products as HEUR:Trojan-Banker.AndroidOS.Frogblight.*, HEUR:Trojan-Banker.AndroidOS.Agent.eq, HEUR:Trojan-Banker.AndroidOS.Agent.ep, HEUR:Trojan-Spy.AndroidOS.SmsThief.de.<\/p>\n

Technical details<\/h2>\n

Background<\/h3>\n

While performing an analysis of mobile malware we receive from various sources, we discovered several samples belonging to a new malware family. Although these samples appeared to be still under development, they already contained a lot of functionality that allowed this family to be classified as a banking Trojan. As new versions of this malware continued to appear, we began monitoring its development. Moreover, we managed to discover its control panel and based on the \u201cfr0g\u201d name shown there, we dubbed this family \u201cFrogblight\u201d.<\/p>\n

Initial infection<\/h3>\n

We believe that smishing is one of the distribution vectors for Frogblight, and that the users had to install the malware themselves. On the internet, we found complaints from Turkish users about phishing SMS messages convincing users that they were involved in a court case and containing links to download malware. versions of Frogblight, including the very first ones, were disguised as an app for accessing court case files via an official government webpage and were named the same as the files for downloading from the links mentioned above.<\/p>\n

While looking for online mentions of the names used by the malware, we discovered one of the phishing websites distributing Frogblight, which disguises itself as a website for viewing a court file.<\/p>\n

\"The<\/a><\/p>\n

The phishing website distributing Frogblight<\/p>\n<\/div>\n

We were able to open the admin panel of this website, where it was possible to view statistics on Frogblight malware downloads. However, the counter had not been fully implemented and the threat actor could only view the statistics for their own downloads.<\/p>\n

\"The<\/a><\/p>\n

The admin panel interface of the website from which Frogblight is downloaded<\/p>\n<\/div>\n

Additionally, we found the source code of this phishing website available in a public GitHub repository. Judging by its description, it is adapted for fast deployment to Vercel<\/a>, a platform for hosting web apps.<\/p>\n

\"The<\/a><\/p>\n

The GitHub repository with the phishing website source code<\/p>\n<\/div>\n

App features<\/h3>\n

As already mentioned, Frogblight was initially disguised as an app for accessing court case files via an official government webpage. Let\u2019s look at one of the samples using this disguise (9dac23203c12abd60d03e3d26d372253<\/code>). For analysis, we selected an early sample, but not the first one discovered, in order to demonstrate more complete Frogblight functionality.<\/p>\n

After starting, the app prompts the victim to grant permissions to send and read SMS messages, and to read from and write to the device\u2019s storage, allegedly needed to show a court file related to the user.<\/p>\n

The full list of declared permissions in the app manifest file is shown below:<\/p>\n