{“lastseen”:”2025-12-15T08:05:10″,”description”:”\\n\\nIn August 2025, we discovered a campaign targeting individuals in Turkey with a new Android banking Trojan we dubbed \\”Frogblight\\”. Initially, the malware was disguised as an app for accessing court case files via an official government webpage. Later, more universal disguises appeared, such as the Chrome browser.\\n\\nFrogblight can use official government websites as an intermediary step to steal banking credentials. Moreover, it has spyware functionality, such as capabilities to collect SMS messages, a list of installed apps on the device and device filesystem information. It can also send arbitrary SMS messages.\\n\\nAnother interesting characteristic of Frogblight is that we’ve seen it updated with new features throughout September. This may indicate that a feature-rich malware app for Android is being developed, which might be distributed under the MaaS model.\\n\\nThis threat is detected by Kaspersky products as HEUR:Trojan-Banker.AndroidOS.Frogblight.*, HEUR:Trojan-Banker.AndroidOS.Agent.eq, HEUR:Trojan-Banker.AndroidOS.Agent.ep, HEUR:Trojan-Spy.AndroidOS.SmsThief.de.\\n\\n## Technical details\\n\\n### Background\\n\\nWhile performing an analysis of mobile malware we receive from various sources, we discovered several samples belonging to a new malware family. Although these samples appeared to be still under development, they already contained a lot of functionality that allowed this family to be classified as a banking Trojan. As new versions of this malware continued to appear, we began monitoring its development. Moreover, we managed to discover its control panel and based on the \\”fr0g\\” name shown there, we dubbed this family \\”Frogblight\\”.\\n\\n### Initial infection\\n\\nWe believe that smishing is one of the distribution vectors for Frogblight, and that the users had to install the malware themselves. On the internet, we found complaints from Turkish users about phishing SMS messages convincing users that they were involved in a court case and containing links to download malware. versions of Frogblight, including the very first ones, were disguised as an app for accessing court case files via an official government webpage and were named the same as the files for downloading from the links mentioned above.\\n\\nWhile looking for online mentions of the names used by the malware, we discovered one of the phishing websites distributing Frogblight, which disguises itself as a website for viewing a court file.\\n\\n\\n\\nThe phishing website distributing Frogblight\\n\\nWe were able to open the admin panel of this website, where it was possible to view statistics on Frogblight malware downloads. However, the counter had not been fully implemented and the threat actor could only view the statistics for their own downloads.\\n\\n\\n\\nThe admin panel interface of the website from which Frogblight is downloaded\\n\\nAdditionally, we found the source code of this phishing website available in a public GitHub repository. Judging by its description, it is adapted for fast deployment to Vercel, a platform for hosting web apps.\\n\\n\\n\\nThe GitHub repository with the phishing website source code\\n\\n### App features\\n\\nAs already mentioned, Frogblight was initially disguised as an app for accessing court case files via an official government webpage. Let’s look at one of the samples using this disguise (`9dac23203c12abd60d03e3d26d372253`). For analysis, we selected an early sample, but not the first one discovered, in order to demonstrate more complete Frogblight functionality.\\n\\nAfter starting, the app prompts the victim to grant permissions to send and read SMS messages, and to read from and write to the device’s storage, allegedly needed to show a court file related to the user.\\n\\nThe full list of declared permissions in the app manifest file is shown below:\\n\\n * MANAGE_EXTERNAL_STORAGE\\n * READ_EXTERNAL_STORAGE\\n * WRITE_EXTERNAL_STORAGE\\n * READ_SMS\\n * RECEIVE_SMS\\n * SEND_SMS\\n * WRITE_SMS\\n * RECEIVE_BOOT_COMPLETED\\n * INTERNET\\n * QUERY_ALL_PACKAGES\\n * BIND_ACCESSIBILITY_SERVICE\\n * DISABLE_KEYGUARD\\n * FOREGROUND_SERVICE\\n * FOREGROUND_SERVICE_DATA_SYNC\\n * POST_NOTIFICATIONS\\n * QUICKBOOT_POWERON\\n * RECEIVE_MMS\\n * RECEIVE_WAP_PUSH\\n * REQUEST_IGNORE_BATTERY_OPTIMIZATIONS\\n * SCHEDULE_EXACT_ALARM\\n * USE_EXACT_ALARM\\n * VIBRATE\\n * WAKE_LOCK\\n * ACCESS_NETWORK_STATE\\n * READ_PHONE_STATE\\n\\n\\n\\nAfter all required permissions are granted, the malware opens the official government webpage for accessing court case files in WebView, prompting the victim to sign in. There are different sign-in options, one of them via online banking. If the user chooses this method, they are prompted to click on a bank whose online banking app they use and fill out the sign-in form on the bank’s official website. This is what Frogblight is after, so it waits two seconds, then opens the online banking sign-in method regardless of the user’s choice. For each webpage that has finished loading in WebView, Frogblight injects JavaScript code allowing it to capture user input and send it to the C2 via a REST API.\\n\\nThe malware also changes its label to \\”Davalar\u0131m\\” if the Android version is newer than 12; otherwise it hides the icon.\\n\\n |  \\n—|— \\n \\n**_The app icon before (left) and after launching (right)_** \\nIn the sample we review in this section, Frogblight uses a REST API for C2 communication, implemented using the Retrofit library. The malicious app pings the C2 server every two seconds in foreground, and if no error is returned, it calls the REST API client methods `fetchOutbox` and getFileCommands. Other methods are called when specific events occur, for example, after the device screen is turned on, the `com.capcuttup.refresh.PersistentService` foreground service is launched, or an SMS is received. The full list of all REST API client methods with parameters and descriptions is shown below.\\n\\n**REST API client method** | **Description** | **Parameters** \\n—|—|— \\nfetchOutbox | Request message content to be sent via SMS or displayed in a notification | device_id: unique Android device ID \\nackOutbox | Send the results of processing a message received after calling the API method fetchOutbox | device_id: unique Android device ID \\nmsg_id: message ID \\nstatus: message processing status \\nerror: message processing error \\ngetAllPackages | Request the names of app packages whose launch should open a website in WebView to capture user input data | action: same as the API method name \\ngetPackageUrl | Request the website URL that will be opened in WebView when the app with the specified package name is launched | action: same as the API method name \\npackage: the package name of the target app \\ngetFileCommands | Request commands for file operations Available commands: \\n\u25cf download: upload the target file to the C2 \\n\u25cf generate_thumbnails: generate thumbnails from the image files in the target directory and upload them to the C2 \\n\u25cf list: send information about all files in the target directory to the C2 \\n\u25cf thumbnail: generate a thumbnail from the target image file and upload it to the C2 | device_id: unique Android device ID \\npingDevice | Check the C2 connection | device_id: unique Android device ID \\nreportHijackSuccess | Send captured user input data from the website opened in a WebView when the app with the specified package name is launched | action: same as the API method name \\npackage: the package name of the target app \\ndata: captured user input data \\nsaveAppList | Send information about the apps installed on the device | device_id: unique Android device ID app_list: a list of apps installed on the device \\napp_count: a count of apps installed on the device \\nsaveInjection | Send captured user input data from the website opened in a WebView. If it was not opened following the launch of the target app, the app_name parameter is determined based on the opened URL | device_id: unique Android device ID app_name: the package name of the target app \\nform_data: captured user input data \\nsavePermission | Unused but presumably needed for sending information about permissions | device_id: unique Android device ID permission_type: permission type \\nstatus: permission status \\nsendSms | Send information about an SMS message from the device | device_id: unique Android device ID sender: the sender’s\/recipient’s phone number \\nmessage: message text \\ntimestamp: received\/sent time \\ntype: message type (inbox\/sent) \\nsendTelegramMessage | Send captured user input data from the webpages opened by Frogblight in WebView | device_id: unique Android device ID \\nurl: website URL \\ntitle: website page title \\ninput_type: the type of user input data \\ninput_value: user input data \\nfinal_value: user input data with additional information \\ntimestamp: the time of data capture \\nip_address: user IP address \\nsms_permission: whether SMS permission is granted \\nfile_manager_permission: whether file access permission is granted \\nupdateDevice | Send information about the device | device_id: unique Android device ID \\nmodel: device manufacturer and model \\nandroid_version: Android version \\nphone_number: user phone number \\nbattery: current battery level \\ncharging: device charging status \\nscreen_status: screen on\/off \\nip_address: user IP address \\nsms_permission: whether SMS permission is granted \\nfile_manager_permission: whether file access permission is granted \\nupdatePermissionStatus | Send information about permissions | device_id: unique Android device ID \\npermission_type: permission type \\nstatus: permission status \\ntimestamp: current time \\nuploadBatchThumbnails | Upload thumbnails to the C2 | device_id: unique Android device ID \\nthumbnails: thumbnails \\nuploadFile | Upload a file to the C2 | device_id: unique Android device ID \\nfile_path: file path \\ndownload_id: the file ID on the C2 \\nThe file itself is sent as an unnamed parameter \\nuploadFileList | Send information about all files in the target directory | device_id: unique Android device ID \\npath: directory path \\nfile_list: information about the files in the target directory \\nuploadFileListLog | Send information about all files in the target directory to an endpoint different from uploadFileList | device_id: unique Android device ID \\npath: directory path \\nfile_list: information about the files in the target directory \\nuploadThumbnailLog | Unused but presumably needed for uploading thumbnails to an endpoint different from uploadBatchThumbnails | device_id: unique Android device ID \\nthumbnails: thumbnails \\n \\n#### Remote device control, persistence, and protection against deletion\\n\\nThe app includes several classes to provide the threat actor with remote access to the infected device, gain persistence, and protect the malicious app from being deleted.\\n\\n * `capcuttup.refresh.AccessibilityAutoClickService` \\nThis is intended to prevent removal of the app and to open websites specified by the threat actor in WebView upon target apps startup. It is present in the sample we review, but is no longer in use and deleted in further versions.\\n * `capcuttup.refresh.PersistentService` \\nThis is a service whose main purpose is to interact with the C2 and to make malicious tasks persistent.\\n * `capcuttup.refresh.BootReceiver` \\nThis is a broadcast receiver responsible for setting up the persistence mechanisms, such as job scheduling and setting alarms, after device boot completion.\\n\\n\\n\\n### Further development\\n\\nIn later versions, new functionality was added, and some of the more recent Frogblight variants disguised themselves as the Chrome browser. Let’s look at one of the fake Chrome samples (`d7d15e02a9cd94c8ab00c043aef55aff`).\\n\\nIn this sample, new REST API client methods have been added for interacting with the C2.\\n\\n**REST API client method** | **Description** | **Parameters** \\n—|—|— \\ngetContactCommands | Get commands to perform actions with contacts \\nAvailable commands: \\n\u25cf ADD_CONTACT: add a contact to the user device \\n\u25cf DELETE_CONTACT: delete a contact from the user device \\n\u25cf EDIT_CONTACT: edit a contact on the user device | device_id: unique Android device ID \\nsendCallLogs | Send call logs to the C2 | device_id: unique Android device ID \\ncall_logs: call log data \\nsendNotificationLogs | Send notifications log to the C2. Not fully implemented in this sample, and as of the time of writing this report, we hadn’t seen any samples with a full-fledged implementation of this API method | action: same as the API method name \\nnotifications: notification log data \\n \\nAlso, the threat actor had implemented a custom input method for recording keystrokes to a file using the `com.puzzlesnap.quickgame.CustomKeyboardService` service.\\n\\nAnother Frogblight sample we observed trying to avoid emulators and using geofencing techniques is `115fbdc312edd4696d6330a62c181f35`. In this sample, Frogblight checks the environment (for example, device model) and shuts down if it detects an emulator or if the device is located in the United States.\\n\\n\\n\\nPart of the code responsible for avoiding Frogblight running in an undesirable environment\\n\\nLater on, the threat actor decided to start using a web socket instead of the REST API. Let’s see an example of this in one of the recent samples (`08a3b1fb2d1abbdbdd60feb8411a12c7`). This sample is disguised as an app for receiving social support via an official government webpage. The feature set of this sample is very similar to the previous ones, with several new capabilities added. Commands are transmitted over a web socket using the JSON format. A command template is shown below:\\n \\n \\n {\\n \\”id\\”: \\u003ccommand ID\\u003e,\\n \\”command_type\\”: \\u003ccommand name\\u003e\\n \\”command_data\\”: \\u003ccommand data\\u003e\\n }\\n\\nIt is also worth noting that some commands in this version share the same meaning but have different structures, and the functionality of certain commands has not been fully implemented yet. This indicates that Frogblight was under active development at the time of our research, and since no its activity was noticed after September, it is possible that the malware is being finalized to a fully operational state before continuing to infect users’ devices. A full list of commands with their parameters and description is shown below:\\n\\n**Command** | **Description** | **Parameters** \\n—|—|— \\nconnect | Send a registration message to the C2 | \u2013 \\nconnection_success | Send various information, such as call logs, to the C2; start pinging the C2 and requesting commands | \u2013 \\nauth_error | Log info about an invalid login key to the Android log system | \u2013 \\npong_device | _Does nothing_ | \u2013 \\ncommands_list | Execute commands | List of commands \\nsms_send_command | Send an arbitrary SMS message | recipient: message destination \\nmessage: message text \\nmsg_id: message ID \\nbulk_sms_command | Send an arbitrary SMS message to multiple recipients | recipients: message destinations \\nmessage: message text \\nget_contacts_command | Send all contacts to the C2 | \u2013 \\nget_app_list_command | Send information about the apps installed on the device to the C2 | \u2013 \\nget_files_command | Send information about all files in certain directories to the C2 | \u2013 \\nget_call_logs_command | Send call logs to the C2 | \u2013 \\nget_notifications_command | Send a notifications log to the C2. This is not fully implemented in the sample at hand, and as of the time of writing this report, we hadn’t seen any samples with a full-fledged implementation of this command | \u2013 \\ntake_screenshot_command | Take a screenshot. This is not fully implemented in the sample at hand, and as of the time of writing this report, we hadn’t seen any samples with a full-fledged implementation of this command | \u2013 \\nupdate_device | Send registration message to the C2 | \u2013 \\nnew_webview_data | Collect WebView data. This is not fully implemented in the sample at hand, and as of the time of writing this report, we hadn’t seen any samples with a full-fledged implementation of this command | \u2013 \\nnew_injection | Inject code. This is not fully implemented in the sample at hand, and as of the time of writing this report, we hadn’t seen any samples with a full-fledged implementation of this command | code: injected code \\ntarget_app: presumably the package name of the target app \\nadd_contact_command | Add a contact to the user device | name: contact name \\nphone: contact phone \\nemail: contact email \\ncontact_add | Add a contact to the user device | display_name: contact name \\nphone_number: contact phone \\nemail: contact email \\ncontact_delete | Delete a contact from the user device | phone_number: contact phone \\ncontact_edit | Edit a contact on the user device | display_name: new contact name \\nphone_number: contact phone \\nemail: new contact email \\ncontact_list | Send all contacts to the C2 | \u2013 \\nfile_list | Send information about all files in the specified directory to the C2 | path: directory path \\nfile_download | Upload the specified file to the C2 | file_path: file path \\ndownload_id: an ID that is received with the command and sent back to the C2 along with the requested file. Most likely, this is used to organize data on the C2 \\nfile_thumbnail | Generate a thumbnail from the target image file and upload it to the C2 | file_path: image file path \\nfile_thumbnails | Generate thumbnails from the image files in the target directory and upload them to the C2 | folder_path: directory path \\nhealth_check | Send information about the current device state: battery level, screen state, and so on | \u2013 \\nmessage_list_request | Send all SMS messages to the C2 | \u2013 \\nnotification_send | Show an arbitrary notification | title: notification title \\nmessage: notification message \\napp_name: notification subtext \\npackage_list_response | Save the target package names | packages: a list of all target package names. \\nEach list element contains: \\npackage_name: target package name \\nactive: whether targeting is active \\ndelete_contact_command | Delete a contact from the user device. This is not fully implemented in the sample at hand, and as of the time of writing this report, we hadn’t seen any samples with a full-fledged implementation of this command | contact_id: contact ID \\nname: contact name \\nfile_upload_command | Upload specified file to the C2. This is not fully implemented in the sample at hand, and as of the time of writing this report, we hadn’t seen any samples with a full-fledged implementation of this command | file_path: file path \\nfile_name: file name \\nfile_download_command | Download file to user device. This is not fully implemented in the sample at hand, and as of the time of writing this report, we hadn’t seen any samples with a full-fledged implementation of this command | file_url: the URL of the file to download \\ndownload_path: download path \\ndownload_file_command | Download file to user device. This is not fully implemented in the sample at hand, and as of the time of writing this report, we hadn’t seen any samples with a full-fledged implementation of this command | file_url: the URL of the file to download \\ndownload_path: downloading path \\nget_permissions_command | Send a registration message to the C2, including info about specific permissions | \u2013 \\nhealth_check_command | Send information about the current device state, such as battery level, screen state, and so on | \u2013 \\nconnect_error | Log info about connection errors to the Android log system | A list of errors \\nreconnect | Send a registration message to the C2 | \u2013 \\ndisconnect | Stop pinging the C2 and requesting commands from it | \u2013 \\n \\nAuthentication via WebSocket takes place using a special key.\\n\\n\\n\\nThe part of the code responsible for the WebSocket authentication logic\\n\\nAt the IP address to which the WebSocket connection was made, the Frogblight web panel was accessible, which accepted the authentication key mentioned above. Since only samples using the same key as the webpanel login are controllable through it, we suggest that Frogblight might be distributed under the MaaS model.\\n\\n\\n\\nThe interface of the sign-in screen for the Frogblight web panel\\n\\nJudging by the menu options, the threat actor can sort victims’ devices by certain parameters, such as the presence of banking apps on the device, and send bulk SMS messages and perform other mass actions.\\n\\n## Victims\\n\\nSince some versions of Frogblight opened the Turkish government webpage to collect user-entered data on Turkish banks’ websites, we assume with high confidence that it is aimed mainly at users from Turkey. Also, based on our telemetry, the majority of users attacked by Frogblight are located in that country.\\n\\n## Attribution\\n\\nEven though it is not possible to provide an attribution to any known threat actor based on the information available, during our analysis of the Frogblight Android malware and the search for online mentions of the names it uses, we discovered a GitHub profile containing repos with Frogblight, which had also created repos with Coper malware, distributed under the MaaS model. It is possible that this profile belongs to the attackers distributing Coper who have also started distributing Frogblight.\\n\\n\\n\\nGitHub repositories containing Frogblight and Coper malware\\n\\nAlso, since the comments in the Frogblight code are written in Turkish, we believe that its developers speak this language.\\n\\n## Conclusions\\n\\nThe new Android malware we dubbed \\”Frogblight\\” appeared recently and targets mainly users from Turkey. This is an advanced banking Trojan aimed at stealing money. It has already infected real users’ devices, and it doesn’t stop there, adding more and more new features in the new versions that appear. It can be made more dangerous by the fact that it may be used by attackers who already have experience distributing malware. We will continue to monitor its development.\\n\\n## Indicators of Compromise\\n\\n_More indicators of compromise, as well as any updates to these, are available to the customers of ourcrimeware reporting service. If you are interested, please contact crimewareintel@kaspersky.com._\\n\\n**APK file hashes** \\n8483037dcbf14ad8197e7b23b04aea34 \\n105fa36e6f97977587a8298abc31282a \\ne1cd59ae3995309627b6ab3ae8071e80 \\n115fbdc312edd4696d6330a62c181f35 \\n08a3b1fb2d1abbdbdd60feb8411a12c7 \\nd7d15e02a9cd94c8ab00c043aef55aff \\n9dac23203c12abd60d03e3d26d372253\\n\\n**C2 domains** \\n1249124fr1241og5121.sa[.]com \\nfroglive[.]net\\n\\n**C2 IPs** \\n45.138.16.208[:]8080\\n\\n**URL of GitHub repository with Frogblight phishing website source code** \\nhttps:\/\/github[.]com\/eraykarakaya0020\/e-ifade-vercel\\n\\n**URL of GitHub account containing APK files of Frogblight and Coper** \\nhttps:\/\/github[.]com\/Chromeapk\\n\\n**Distribution URLs** \\nhttps:\/\/farketmez37[.]cfd\/e-ifade.apk \\nhttps:\/\/farketmez36[.]sbs\/e-ifade.apk \\nhttps:\/\/e-ifade-app-5gheb8jc.devinapps[.]com\/e-ifade.apk”,”published”:”2025-12-15T07:00:57″,”modified”:”2025-12-15T07:00:57″,”type”:”securelist”,”title”:”Frogblight threatens you with a court case: a new Android banker targets Turkish users”,”source”:””,”references”:””,”id”:”SECURELIST:786F74F650FAC0A9E10635C67068DA5E”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/securelist.com\/frogblight-banker\/118440\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-15T08:05:10″,”description”:”\\n\\nIn August 2025, we discovered a campaign targeting individuals in Turkey with a new Android banking Trojan we dubbed \\”Frogblight\\”. Initially, the malware was disguised…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,136,7,11,5],"class_list":["post-31105","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-securelist","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n