Frogblight Malware Targets Android Users With Fake Court and Aid Apps
December 22, 2025
A new and concerning digital threat has emerged, specifically targeting mobile users in Turkiye with the intent of siphoning funds from their bank accounts. This Android-based Trojan, dubbed Frogblight, was first identified by researchers from Kaspersky’s threat intelligence unit, Securelist, in August 2025. Since its discovery, the malware has undergone rapid evolution, with frequent updates observed throughout September 2025 aimed at evading detection.
The Court Case and Social Aid Traps
The primary vector for the spread of Frogblight is smishing, or SMS phishing. Scammers send deceptive text messages to individuals in Turkiye, falsely claiming that the recipient is involved in a legal court case or is eligible for financial aid. These messages typically include a link to download a file viewer or support application.
Additionally, the scammers have been known to spoof social support applications, creating fake portals for the Ministry of Family and Social Services or using filenames like e-ifade.apk to mislead individuals into believing they are applying for state assistance.
Fear serves as a potent motivator, prompting many to unwittingly install the malicious file. Once installed, the app masquerades under the Turkish name ‘Davalarım’ (My Court Cases) and requests extensive permissions to read SMS messages and access device storage.
Further analysis reveals that the code contains comments in Turkish, indicating that the creators are likely native speakers. Notably, the virus is sophisticated enough to conceal itself; it will deactivate if it detects testing on a simulated device or if the device’s location is within the United States.
The phishing website distributing Frogblight (Source: Securelist)
How the Theft Occurs
A thorough examination by Securelist indicates that the malware does not merely steal passwords; it functions as a spy. Once the user grants permissions, the app opens a legitimate government website to appear credible. It then waits for the user to select a banking login, at which point it injects hidden JavaScript code.
This code meticulously records every keystroke made by the user. Recent iterations of the malware have introduced additional capabilities, such as keylogging, theft of contact lists, and the collection of private call logs.
“Frogblight represents a concerning evolution in mobile banking threats,” remarked Georgy Bubenok, a malware analyst at Kaspersky. He emphasized that the use of legitimate government portals significantly enhances the effectiveness of these scams.
Disguises, Development and Protection
Hackers have broadened their array of disguises, with newer versions of the malware masquerading as the Google Chrome browser or universal social aid tools. The name Frogblight was chosen due to the frog-themed design of the hackers’ control center, named ‘fr0g.’ Researchers have also discovered the source code available on GitHub, alongside other malware like Coper, suggesting that it is marketed as malware-as-a-service (MaaS) to other criminals.
Sign-in screen for the Frogblight web panel (Source: Securelist)
To safeguard against such threats, Kaspersky researchers advise users to avoid downloading APK files sent via text or from untrusted websites. Additionally, they recommend scrutinizing app permission requests; for instance, a simple file viewer should not require access to manage SMS messages.
Frogblight Malware Targets Android Users With Fake Court and Aid Apps
A new and concerning digital threat has emerged, specifically targeting mobile users in Turkiye with the intent of siphoning funds from their bank accounts. This Android-based Trojan, dubbed Frogblight, was first identified by researchers from Kaspersky’s threat intelligence unit, Securelist, in August 2025. Since its discovery, the malware has undergone rapid evolution, with frequent updates observed throughout September 2025 aimed at evading detection.
The Court Case and Social Aid Traps
The primary vector for the spread of Frogblight is smishing, or SMS phishing. Scammers send deceptive text messages to individuals in Turkiye, falsely claiming that the recipient is involved in a legal court case or is eligible for financial aid. These messages typically include a link to download a file viewer or support application.
Additionally, the scammers have been known to spoof social support applications, creating fake portals for the Ministry of Family and Social Services or using filenames like
e-ifade.apkto mislead individuals into believing they are applying for state assistance.Fear serves as a potent motivator, prompting many to unwittingly install the malicious file. Once installed, the app masquerades under the Turkish name ‘Davalarım’ (My Court Cases) and requests extensive permissions to read SMS messages and access device storage.
Further analysis reveals that the code contains comments in Turkish, indicating that the creators are likely native speakers. Notably, the virus is sophisticated enough to conceal itself; it will deactivate if it detects testing on a simulated device or if the device’s location is within the United States.
How the Theft Occurs
A thorough examination by Securelist indicates that the malware does not merely steal passwords; it functions as a spy. Once the user grants permissions, the app opens a legitimate government website to appear credible. It then waits for the user to select a banking login, at which point it injects hidden JavaScript code.
This code meticulously records every keystroke made by the user. Recent iterations of the malware have introduced additional capabilities, such as keylogging, theft of contact lists, and the collection of private call logs.
“Frogblight represents a concerning evolution in mobile banking threats,” remarked Georgy Bubenok, a malware analyst at Kaspersky. He emphasized that the use of legitimate government portals significantly enhances the effectiveness of these scams.
Disguises, Development and Protection
Hackers have broadened their array of disguises, with newer versions of the malware masquerading as the Google Chrome browser or universal social aid tools. The name Frogblight was chosen due to the frog-themed design of the hackers’ control center, named ‘fr0g.’ Researchers have also discovered the source code available on GitHub, alongside other malware like Coper, suggesting that it is marketed as malware-as-a-service (MaaS) to other criminals.
To safeguard against such threats, Kaspersky researchers advise users to avoid downloading APK files sent via text or from untrusted websites. Additionally, they recommend scrutinizing app permission requests; for instance, a simple file viewer should not require access to manage SMS messages.