Frogblight¶
Frogblight is a Turkish banking trojan distributed via smishing as fake court case notification documents. Kaspersky published the analysis in August 2025, documenting a banking trojan that records keystrokes via a custom InputMethodService (keyboard) and uses geofencing to avoid execution in the United States, a common tactic to reduce exposure to US-based security researchers and sandboxes. Kaspersky noted possible connections to the Coper MaaS ecosystem, which traces lineage back to Exobot through ExobotCompact/Octo.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | 2025 |
| Last Seen | Active |
| Status | Active, under development |
| Type | Banking trojan with keylogging via custom keyboard |
| Attribution | Unknown; possible Coper MaaS connection |
| Aliases | None known |
Vendor Names¶
| Vendor | Name |
|---|---|
| Kaspersky | HEUR:Trojan-Banker.AndroidOS.Frogblight |
| ESET | Android/Spy.Banker.Frogblight |
Origin and Lineage¶
Kaspersky identified possible connections to the Coper MaaS operation, which is part of the Exobot lineage:
If the Coper connection is confirmed, Frogblight would join Octo as a descendant of the Exobot lineage. However, this relationship requires further analysis and has not been definitively established.
Distribution¶
| Vector | Details |
|---|---|
| Smishing | SMS messages impersonating Turkish court notifications |
| Fake court documents | APKs disguised as court case viewing applications |
| Social engineering | Urgency-based lures about pending legal proceedings |
The court case impersonation creates strong urgency: recipients believe they have pending legal matters requiring immediate attention, motivating them to install the "document viewer" app. This social engineering approach parallels Copybara's TOAD-based delivery and Zanubis's government impersonation, where official-seeming communications compel installation.
Capabilities¶
| Capability | Description |
|---|---|
| Custom keyboard keylogging | Records keystrokes via malicious InputMethodService |
| Overlay attacks | Credential phishing overlays over Turkish banking apps |
| SMS interception | Reads and intercepts OTP codes |
| Geofencing | Refuses to execute on devices with US locale/SIM |
| Screen recording | Captures device screen activity |
| Contact exfiltration | Uploads contact list |
| Persistence | Prevents uninstallation via accessibility |
Custom Keyboard Keylogging¶
Frogblight's primary keylogging mechanism uses Android's InputMethodService API to register as a custom input method (keyboard). Once enabled, the custom keyboard captures every keystroke entered by the user across all applications, including banking apps, messaging apps, and browsers. This approach differs from accessibility-based keylogging used by most banking trojans (Cerberus, Anubis, Hook):
| Method | Pros | Cons |
|---|---|---|
| Accessibility keylogging | Captures from any keyboard | Increasingly restricted by Android |
| Custom keyboard (Frogblight) | Direct keystroke access, harder to detect | Requires user to enable the keyboard |
Technical Details¶
InputMethodService Implementation¶
The malware registers an InputMethodService that functions as a system keyboard:
- During installation, the user is prompted to enable the custom keyboard
- Once enabled, it replaces the default keyboard for all text input
- All keystrokes are logged and sent to C2
- The keyboard UI mimics a standard Android keyboard to avoid suspicion
Geofencing¶
Frogblight checks device locale, SIM card country code, and IP geolocation. If US-based indicators are detected, the malware deactivates. This reduces the chance of analysis by US-based security researchers and sandbox environments, which are disproportionately used by major security vendors.
| Check | Method |
|---|---|
| SIM country | TelephonyManager.getSimCountryIso() |
| Device locale | Locale.getDefault() |
| IP geolocation | HTTP request to IP geolocation service |
C2 Communication¶
- HTTPS-based communication
- Device registration with hardware fingerprint
- Command polling for overlay updates and target list
- Real-time keystroke exfiltration
Target Regions¶
| Region | Details |
|---|---|
| Turkey | Primary and exclusive target |
Frogblight targets major Turkish banks and financial institutions. The geofencing exclusion of US devices and the Turkish court document lures confirm the narrow geographic focus.
Notable Campaigns¶
2025: Kaspersky publishes Frogblight analysis, documenting the custom keyboard keylogging approach, court case smishing lures, and geofencing. The research notes possible connections to the Coper MaaS ecosystem, suggesting potential code sharing with the Exobot/Octo lineage.