Frogblight is a sophisticated Android banking Trojan mainly targeting users in Turkey by pretending to be official government services.
First seen in August 2025, it initially posed as an app to access court case details and later evolved to mimic popular apps like Chrome.
How Frogblight Tricks Users
The attack starts with phishing SMS messages claiming the user is involved in a court case, leading them to fake government websites that push the malicious app.
Once installed, the malware asks for sensitive permissions such as SMS access, storage, and device details, and then displays real-looking government webpages inside the app to appear trustworthy while silently stealing banking and personal data.
Securelist reports that Frogblight is a multifunctional Android threat combining banking credential theft with powerful spyware features. It can read SMS messages, track installed apps, monitor files, and send messages on its own. Ongoing updates seen through September 2025 suggest the malware is actively maintained and possibly offered as a Malware-as-a-Service.
Frogblight infects devices by injecting JavaScript into a fake government website shown inside the app. When users type anything on this page, the malware secretly captures it. It specifically targets banking logins by automatically opening bank sign-in pages after a short two-second delay, even if the user didn’t choose them.
The malware communicates with its command server very frequently. It first used simple REST API calls to send stolen data, confirm commands, and upload files.
Newer versions switched to WebSocket communication with JSON commands, making the activity harder to detect and more persistent.
To stay on the device, Frogblight uses several Android services. One service blocks app removal and forces users to open attacker-controlled websites.
Another keeps constant contact with the command server, and a boot receiver restarts the malware automatically whenever the phone is rebooted.
Frogblight also uses evasion techniques to avoid analysis. It can detect emulators and limits its activity outside Turkey by disabling functions in the United States. On newer Android versions, the app icon appears as “Davalarım”, while on older devices it stays hidden. Kaspersky detects it as HEUR:Trojan-Banker.AndroidOS.Frogblight, helping security teams identify and block the threat.
Leave A Comment