In August 2025, Kaspersky discovered Frogblight, a new Android banking Trojan, and throughout September 2025, it underwent rapid development. This mobile malware primarily targets users in Turkiye by masquerading as installation (APK) files for legitimate Android applications, such as a viewer app for accessing alleged “court case files,” a social support app or even the Chrome browser. Frogblight is designed to steal victims’ banking credentials, collect sensitive device information, send text messages (SMS) and enable further malicious activities, posing a significant threat to mobile users in the region.
Based on phishing campaigns reported by Turkish users, Kaspersky researchers concluded that smishing (SMS phishing) attacks are possibly one of the distribution vectors of the malware, where victims receive deceptive text messages claiming involvement in a court case, urging them to download an app by following a link. When launched, one of the Frogblight samples that could be distributed in this way requests permissions to access SMS messages and device storage under the guise of accessing court files. It then loads an official government webpage and suggests the user logs in via a local online banking service. The malware then captures user inputs, particularly online banking credentials entered during login attempts.
New variants of this malware disguised themselves as the Chrome browser or apps for social support. Kaspersky also uncovered the malware's control panel, featuring a frog-themed design and named "fr0g," which inspired the Trojan's name. Additionally, phishing websites distributing Frogblight were found, with their source code publicly available on GitHub, alongside repositories linked to other malware like Coper, suggesting possible ties to malware-as-a-service (MaaS) operations.
“Frogblight represents a concerning evolution in mobile banking threats, combining credential theft with advanced spyware features and active development. Its use of legitimate government portals to lure victims highlights the growing sophistication of cybercriminals targeting regional users. Based on what we observed, Frogblight may be in the final stages of refinement before broader deployment. We urge immediate vigilance to prevent financial losses," comments Georgy Bubenok, Malware Analyst at Kaspersky.
To protect against Frogblight and similar threats, Kaspersky recommends the following:
- Only download apps from official app stores to minimize chances of downloading malware. Avoid installing APK files from SMS links or untrusted websites.
- Scrutinize app permission requests, especially for SMS.
- Use trusted antivirus software on Android devices such as Kaspersky Premium. Kaspersky’s phishing detection provides multilayer protection, ensuring that every link that a user opens on their device is secure. For example, notification protection analyzes incoming notifications across all apps, including messengers and SMS, to identify and remove scam and suspicious links even before the user opens the app.
More details are available in the report on Securelist.
