Frogblight

Frogblight is an Android banking trojan first reported by Kaspersky in August 2025 and primarily targeting users in Turkey. It is distributed through social engineering, especially smishing campaigns, with lures related to Turkish government services such as court case documents, e-Government themes, financial aid, and social support. Observed variants masqueraded as apps for viewing court files, social support applications, and Google Chrome. Victims are directed to phishing sites or fraudulent apps and install the malware themselves.

Once installed, Frogblight requests extensive permissions, including SMS read/send, storage access, accessibility service binding, and boot completion reception. It abuses embedded WebView components and JavaScript injection to display legitimate-looking government or banking pages, capture user input, and steal banking credentials and other personal information. Reported capabilities include collecting SMS messages, sending arbitrary SMS messages, listing installed applications, gathering filesystem information, uploading files, and in later variants stealing contacts and call logs. Some versions also implemented a custom keyboard service to log keystrokes.

Frogblight includes persistence and anti-removal mechanisms through Android services and receivers such as PersistentService and BootReceiver; earlier samples also used an accessibility-based component to hinder removal and trigger WebView actions. Anti-analysis and evasion features include emulator detection and geofencing, with at least one sample shutting down on emulators or when the device is located in the United States. Researchers observed rapid feature updates through September 2025, indicating active development.

Its command-and-control evolved from a REST API model using Retrofit, with frequent beaconing, to WebSocket-based C2 using JSON-formatted commands. A web panel was observed at the WebSocket IP, and reporting suggests the malware may be operated or distributed as Malware-as-a-Service, though attribution to a specific threat actor is not confirmed. Turkish-language code comments and overlap with GitHub repositories associated with Coper-related malware were noted as possible clues, but not definitive attribution.

High-confidence indicators mentioned in the reporting include sample hashes 9dac23203c12abd60d03e3d26d372253, d7d15e02a9cd94c8ab00c043aef55aff, 115fbdc312edd4696d6330a62c181f35, and 08a3b1fb2d1abbdbdd60feb8411a12c7; C2 domains 1249124fr1241og5121.sa[.]com and froglive[.]net; and C2 IP 45.138.16.208:8080. Kaspersky detections referenced in the reporting include HEUR:Trojan-Banker.AndroidOS.Frogblight.*, HEUR:Trojan-Banker.AndroidOS.Agent.eq, HEUR:Trojan-Banker.AndroidOS.Agent.ep, and HEUR:Trojan-Spy.AndroidOS.SmsThief.de.