Turkey’s Digital Deceivers: Android Banking Trojan Poses as Government Portals in Sophisticated SMS Scam

When a Turkish citizen receives a text warning of a pending court case, panic is a natural reaction. But for hundreds this year, that fear has been expertly weaponized by cybercriminals wielding a new Android Trojan named “Frogblight” - a digital parasite that masquerades as a government portal, only to siphon off banking credentials and personal data in a matter of moments.

How the Scam Unfolds

First detected in August 2025 by Kaspersky researchers, Frogblight’s campaign starts with a simple SMS. The message claims the recipient has a court case and urges them to download an official-looking app - one that mimics the Turkish government’s case-tracking portal. In reality, this app is a Trojan horse, requesting sweeping permissions: access to SMS, storage, and device information.

Once installed, Frogblight opens a real government website within a disguised browser window (WebView), prompting victims to sign in. If the user logs in with their bank credentials, the malware silently injects malicious code, capturing every keystroke and relaying them to a remote command-and-control (C2) server controlled by the attackers.

The operation’s technical sophistication doesn’t stop there. Frogblight can upload stolen SMS, call logs, contacts, and even deploy a custom keyboard to record further keystrokes. Later versions employ geofencing, shutting down if run outside Turkey or in emulator environments - making analysis and international spread harder to track.

Criminal Infrastructure and Ambitions

Researchers uncovered that the phishing sites used to distribute Frogblight were built from source code found openly on GitHub, with templates easily deployed to cloud platforms like Vercel. Some phishing pages brazenly display “admin panels,” revealing download stats and operator controls.

Perhaps most concerning: the malware’s backend web panel, secured with unique keys, allows operators to monitor infected devices at scale. This infrastructure, coupled with frequent code updates and Turkish-language comments, points to a well-organized group aiming to commercialize their toolkit as a Malware-as-a-Service (MaaS) platform - a criminal business model that could see Frogblight variants rented out globally.

A Broader Threat Looms

While most infections have so far been confined to Turkey, the ongoing development and modular design of Frogblight mean that international expansion is only a matter of time. With the lines between official apps and malware blurring, vigilance is critical: the next convincing SMS could be more than just a scam - it could be a gateway to financial ruin.