Home > Security > Security News

FrogBlight Android Banking Trojan Targets Turkish Android Users via Smishing and Fake Government Court File Portals

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
trojan
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google

Key Takeaways

A new and evolving Android banking trojan named FrogBlight has been discovered in a campaign primarily targeting individuals in Turkiye. Initially observed in August 2025, this sophisticated mobile malware is distributed through smishing messages that lure victims with fake court case notifications. 

These messages direct users to phishing websites impersonating official government pages, convincing them to download and install the malicious application. Once installed, the malware disguises itself as a legitimate government app or a common browser like Chrome.

Technical Capabilities and Credential Theft

FrogBlight is engineered to steal sensitive financial information with precision, according to the latest report from SecureList by Kaspersky. After a victim grants the necessary permissions, the malware opens a legitimate government portal within a WebView interface. 

The phishing website distributing Frogblight
The phishing website distributing Frogblight | Source: SecureList by Kaspersky

When the user attempts to sign in via their online banking provider, FrogBlight injects malicious JavaScript code to capture their login credentials. This data is then exfiltrated to a command-and-control (C2) server.

The admin panel interface of the website from which Frogblight is downloaded
The admin panel interface of the website from which Frogblight is downloaded | Source: SecureList by Kaspersky

Beyond credential theft, the malware functions as spyware, capable of collecting and sending:

Ongoing Development and MaaS Potential

The FrogBlight banking malware appears to be under active development, with newer versions incorporating additional features like keylogging, geofencing to avoid specific regions like the U.S., and anti-emulator checks. 

The communication protocol has also evolved from a REST API to WebSockets. The presence of a web panel for managing infected devices suggests that FrogBlight may be distributed under a Malware-as-a-Service (MaaS) model, potentially widening its reach and impact.

In April, a novel, advanced MaaS platform for Android was used in a phishing campaign impersonating banks.

In June, a new zero-day exploit by Stealth Falcon targeted Middle East government and defense entities. October reports noted the Maverick banking trojan was spreading on WhatsApp using worm-like propagation. 

Add a Comment
Related
Breach Forums
BreachForums Reemerges, Admin Apologizes for Honeypot Confusion, Claims the Attack the French Govt Announced Impacting Over 16M Individuals
PayPal Phishing
PayPal Subscription Feature Abused in Sophisticated Phishing Campaign
Phone - People - Age Group - Chat Bubbles
Child Safety: Age Verification Moves From Compliance to Court as Reddit Challenges Australia’s Under-16 Social Media Ban
Server Room - Laptop - Dashboard
React2Shell Now Used for Persistent Server Compromise
Woman - Papers - Charts - Gavel
Former Cloud Platform Manager Charged for Concealing Noncompliance to Secure Army Sponsorship, Raising Federal Security Risks
Hacker - Laptop - Defense
Mikord Data Breach: Claims of Russia’s Military Draft Systems Hack Shared via 'Idite Lesom'
Most Popular
Breach Forums
BreachForums Reemerges, Admin Apologizes for Honeypot Confusion, Claims the Attack the French Govt Announced Impacting Over 16M Individuals
PayPal Phishing
PayPal Subscription Feature Abused in Sophisticated Phishing Campaign
NordVPN Security Audit Shows Ongoing Independent Review
What the Latest NordVPN Security Review Actually Confirms - Everything You Need to Know
Part Human - Part Robot - Hacker - Hands
AI to the Rescue as Attackers Exploit Software Bugs, Human Vulnerabilities, and Artificial Intelligence
Phone - People - Age Group - Chat Bubbles
Child Safety: Age Verification Moves From Compliance to Court as Reddit Challenges Australia’s Under-16 Social Media Ban
Server Room - Laptop - Dashboard
React2Shell Now Used for Persistent Server Compromise
BreachForums Reemerges, Admin Apologizes for Honeypot Confusion, Claims the Attack the French Govt Announced Impacting Over 16M Individuals
PayPal Subscription Feature Abused in Sophisticated Phishing Campaign
What the Latest NordVPN Security Review Actually Confirms - Everything You Need to Know
AI to the Rescue as Attackers Exploit Software Bugs, Human Vulnerabilities, and Artificial Intelligence
Child Safety: Age Verification Moves From Compliance to Court as Reddit Challenges Australia’s Under-16 Social Media Ban
React2Shell Now Used for Persistent Server Compromise

Most Popular
Breach Forums
BreachForums Reemerges, Admin Apologizes for Honeypot Confusion, Claims the Attack the French Govt Announced Impacting Over 16M Individuals
PayPal Phishing
PayPal Subscription Feature Abused in Sophisticated Phishing Campaign
NordVPN Security Audit Shows Ongoing Independent Review
What the Latest NordVPN Security Review Actually Confirms - Everything You Need to Know
Part Human - Part Robot - Hacker - Hands
AI to the Rescue as Attackers Exploit Software Bugs, Human Vulnerabilities, and Artificial Intelligence
Phone - People - Age Group - Chat Bubbles
Child Safety: Age Verification Moves From Compliance to Court as Reddit Challenges Australia’s Under-16 Social Media Ban
Server Room - Laptop - Dashboard
React2Shell Now Used for Persistent Server Compromise
BreachForums Reemerges, Admin Apologizes for Honeypot Confusion, Claims the Attack the French Govt Announced Impacting Over 16M Individuals
PayPal Subscription Feature Abused in Sophisticated Phishing Campaign
What the Latest NordVPN Security Review Actually Confirms - Everything You Need to Know
AI to the Rescue as Attackers Exploit Software Bugs, Human Vulnerabilities, and Artificial Intelligence
Child Safety: Age Verification Moves From Compliance to Court as Reddit Challenges Australia’s Under-16 Social Media Ban
React2Shell Now Used for Persistent Server Compromise

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2025 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: