Frogblight Android Banking Trojan Targets Turkish Users via Fake Government Websites
A new Android banking Trojan known as Frogblight has emerged, specifically targeting users in Turkey through sophisticated social engineering tactics. The malware initially masquerades as an official government application for accessing court case files, luring victims via phishing SMS messages that claim legal involvement and direct them to convincing fake government websites. Once installed, Frogblight requests extensive permissions, including access to SMS, storage, and device information, and displays legitimate government web pages within an embedded browser to maintain the illusion of authenticity. The malware is capable of stealing banking credentials, monitoring SMS messages, tracking installed applications, and sending arbitrary SMS messages to external contacts.
Researchers have observed that Frogblight is under active development, with new features added over time, suggesting a potential Malware-as-a-Service (MaaS) distribution model. The infection mechanism relies on JavaScript code injection within a compromised WebView, allowing the malware to silently capture user inputs. Security products, including those from Kaspersky, detect Frogblight under various heuristic signatures. The campaign highlights the increasing sophistication of Android banking threats and the use of official government branding to enhance the credibility of phishing lures targeting Turkish citizens.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Kaspersky publicly discloses Frogblight campaign and technical findings
On December 15, 2025, Securelist published Kaspersky's analysis of Frogblight, detailing its credential theft via WebView and JavaScript injection, extensive device surveillance functions, and possible Malware-as-a-Service links. The report also noted Turkish-language code comments and possible overlap with infrastructure or operators associated with Coper.
Frogblight evolves with new disguises and updated C2 capabilities
Through September 2025, researchers observed active development of Frogblight, including later variants masquerading as Google Chrome. The malware's infrastructure also evolved from a REST API model to a WebSocket-based command channel, while adding or refining spyware, persistence, and anti-analysis features.
Frogblight Android banking trojan campaign begins targeting users in Turkey
Kaspersky reported that the Frogblight banking trojan began targeting Android users in Turkey in August 2025. Early lures impersonated Turkish government-related services, including court case and social support applications, and were spread through social engineering and smishing.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Frogblight Android Banking Trojan Targets Turkey via Fake E-Gov Smishing and WebView
securityonline.info
Open sourceNew Android Malware Frogblight Mimics as Official Government Websites to Collect SMS and Device Details
cybersecuritynews.com
Open sourceFrogblight banking Trojan targets Android users in Turkey | Securelist
securelist.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Emergence of Advanced Android Malware Targeting SMS and Financial Data in Central Asia and Turkey
A new wave of sophisticated Android malware has been identified, targeting users in Central Asia and Turkey with the aim of stealing SMS messages, intercepting one-time passwords (OTPs), and draining bank accounts. The Wonderland malware, discovered in Uzbekistan and neighboring regions, employs multi-stage infection chains using dropper apps disguised as legitimate software. Once installed, Wonderland silently deploys its SMS-stealing payload, leveraging advanced evasion techniques such as emulator and sandbox detection, as well as heavy code obfuscation, to avoid analysis and detection by security tools. In Turkey, the Frogblight malware has been spreading through smishing campaigns that impersonate court summons or social aid notifications, tricking users into installing malicious apps. These apps, often named to mimic official government services, request extensive permissions to access SMS and storage, enabling the theft of sensitive information. Frogblight also demonstrates anti-analysis features, shutting down if it detects a fake phone or a device located in the United States. Both malware families represent a significant escalation in mobile threats, particularly in their ability to bypass traditional security measures and target financial data through sophisticated social engineering and technical means.
Mar 21, 2026
Sturnus Android Banking Trojan Enables Device Takeover and Encrypted Chat Theft
A newly discovered Android banking trojan named **Sturnus** has emerged, targeting financial institutions in Europe and demonstrating advanced capabilities beyond typical mobile malware. Sturnus can capture messages from end-to-end encrypted messaging apps such as Signal, WhatsApp, and Telegram by accessing content after decryption directly from the device screen. The malware also enables full device takeover, credential theft through region-specific HTML overlays, and real-time remote control via VNC sessions. Infection typically begins with malicious APKs disguised as legitimate apps like Google Chrome or Preemix Box, and the malware abuses Android Accessibility services to monitor user activity, capture keystrokes, and manipulate the device interface. Sturnus communicates with its command-and-control infrastructure using a combination of plaintext, RSA, and AES-encrypted channels, establishing secure connections for both data exfiltration and live monitoring. Once installed, it registers the victim device through a cryptographic exchange and can obtain Device Administrator privileges, allowing it to track password changes, lock the device, and maintain persistence. The trojan is currently under active development and is believed to be distributed via malvertising or direct messages, with researchers noting its private operation and ongoing evaluation phase. Security experts warn that Sturnus represents a significant escalation in Android banking malware sophistication, particularly due to its ability to bypass encrypted messaging protections and facilitate financial fraud.
Mar 21, 2026
Android Banking Trojans Spread via Fake Document Reader and KYC Apps
Researchers reported two Android banking malware campaigns using staged droppers to evade detection and steal financial data from mobile users. Zscaler ThreatLabz said a fake **Document Reader** app on Google Play was downloaded more than 10,000 times before removal and later fetched the **Anatsa** payload from a remote server, while CYFIRMA identified **KYCShadow** being distributed through fake KYC verification apps sent over WhatsApp to bank customers in India. In both cases, the initial apps appeared legitimate, then installed secondary malicious components designed to bypass early screening and analysis. Once deployed, the malware sought high-risk permissions to hijack accounts, intercept SMS-based one-time passwords, and overlay banking apps to capture credentials. Anatsa was reported to target more than **831 financial institutions** globally, including banks and cryptocurrency platforms, using obfuscation and anti-analysis techniques, while KYCShadow collected data such as mobile numbers, Aadhaar details, ATM PINs, and card information, then used Firebase Cloud Messaging and a full-tunnel VPN for command-and-control and traffic redirection. Researchers urged users to uninstall suspicious apps and avoid software delivered through messaging platforms, and advised defenders to monitor indicators including `jsonapi[.]biz`, `jsonserv[.]biz`, and `jsonserv[.]xyz`.
Apr 29, 2026