Frogblight is a newly discovered Android banking Trojan targeting mainly users in Turkey that was first disguised as a government court-case app and later appeared as a fake Chrome browser. The malware captures banking credentials via WebView JavaScript injection, collects SMS, app and filesystem data, communicates with C2 servers over REST and WebSocket, and shows signs of active development and possible MaaS distribution. #Frogblight #Turkey
Keypoints
- Frogblight is an Android banking Trojan discovered in August 2025 that primarily targets users in Turkey and was initially disguised as an app for accessing court case files.
- Distribution vectors include smishing/phishing SMS messages linking to APKs hosted on phishing sites and GitHub; the phishing site source code and an admin panel were found publicly.
- The malware opens official government webpages in WebView and injects JavaScript to capture user input (including online banking credentials) and exfiltrate it to C2 servers.
- Frogblight collects SMS messages, installed app lists, filesystem information, call logs, contacts, and can send arbitrary SMS messages and notifications to facilitate fraud.
- It uses a REST API (Retrofit) for C2 communication and later variants switched to WebSocket (JSON); supported remote commands include file upload/download, SMS sending, contact manipulation, and more.
- Persistence and protection mechanisms include BootReceiver, foreground services, accessibility services and a custom keyboard; samples implement emulator checks and geofencing and appear actively developed, possibly as MaaS.
MITRE Techniques
- [T1566 ] Phishing – Frogblight was distributed via SMS phishing (smishing) that convinced users to install the APK (‘smishing is one of the distribution vectors for Frogblight, and that the users had to install the malware themselves.’)
- [T1056 ] Input Capture – The malware injects JavaScript into WebView to capture user input on banking pages and forward it to C2 (‘injects JavaScript code allowing it to capture user input and send it to the C2 via a REST API.’)
- [T1005 ] Data from Local System – Frogblight collects local data such as SMS messages, a list of installed apps and filesystem information for exfiltration (‘capabilities to collect SMS messages, a list of installed apps on the device and device filesystem information.’)
- [T1041 ] Exfiltration Over C2 Channel – Captured data and files are sent to command-and-control servers via API endpoints and file upload methods (‘The malicious app pings the C2 server every two seconds in foreground, and if no error is returned, it calls the REST API client methods fetchOutbox and getFileCommands.’)
- [T1071 ] Application Layer Protocol – Frogblight uses application-layer protocols for C2, using a REST API (Retrofit) and later switching to WebSocket/JSON for commands (‘Later on, the threat actor decided to start using a web socket instead of the REST API.’)
- [T1497 ] Virtualization/Sandbox Evasion – Samples check the environment and disable execution if running in an emulator or in undesired geolocations (US) to avoid analysis (‘checks the environment (for example, device model) and shuts down if it detects an emulator or if the device is located in the United States.’)
- [T1547 ] Boot or Logon Autostart Execution – Persistence is achieved using BootReceiver, scheduled jobs and foreground services to restore functionality after reboot (‘BootReceiver… responsible for setting up the persistence mechanisms, such as job scheduling and setting alarms, after device boot completion.’)
Indicators of Compromise
- [APK file hash ] samples used in analysis – 9dac23203c12abd60d03e3d26d372253, 08a3b1fb2d1abbdbdd60feb8411a12c7, and 4 more hashes
- [C2 domains ] command-and-control domains – froglive[.]net, 1249124fr1241og5121.sa[.]com
- [C2 IPs ] command-and-control IP and port – 45.138.16.208[:]8080
- [Distribution URLs ] phishing and distribution links hosting malicious APKs – https://farketmez37[.]cfd/e-ifade.apk, https://farketmez36[.]sbs/e-ifade.apk, and 1 more URL
- [GitHub repositories/accounts ] source code and APK hosting related to distribution – https://github[.]com/eraykarakaya0020/e-ifade-vercel, https://github[.]com/Chromeapk