“There is a Lawsuit File Against You” Trap Targeting Turkish Users – Frogblight Android Banking Trojan Analysis

Cyber Threats Malware Analysis

Introduction

Attacks that exploit regional and cultural elements are on the rise in the cybercrime world. A new Android banking malware called “Frogblight” is running a sophisticated campaign specifically targeting Turkish users.

This analysis covers the social engineering techniques used by Frogblight (fake applications disguised as e-Devlet/UYAP), its technical evolution, and the precautions that institutions/users should take.

The First Infection Vector: The “Hakkınızda Dava Dosyası Var (There’s a Case File Against You)” Trap

Frogblight’s primary distribution method is through smishing (SMS phishing) attacks. Attackers exploit Turkish users’ sensitivity to legal processes by implementing the following scenario:

  • Smishing: The victim receives a panic-inducing SMS message that says something like, “Hakkınızda açılan dava dosyasını görüntülemek için tıklayın (Click here to view the case file opened against you)“.
  • Fake Application: Users who click the link are persuaded to download a malicious APK file that mimics official government institutions (UYAP, e-Devlet) and is usually named “e-ifade“.
  • Permission Hijacking: When the application is installed, it requests critical permissions such as SMS reading/sending and file system access under the guise of “showing the file”.

It has also been observed that some versions of the malware change their icon to “Davalarım (My Cases)” or disguise themselves as the Chrome browser.

Technical Analysis and Stealing Mechanism

Frogblight goes beyond a classic overlay attack, using legitimate government websites as a stepping stone.

WebView Injection and Bank Identity Theft

When the malicious application is opened, it loads a real government website in a WebView (in-app browser) window. When the user attempts to log in or performs an action:

  • The system redirects the user to the online banking login screen regardless of the user’s preference.
  • JavaScript code is injected into every page loaded.
  • This code captures the Turkish National Identity Number, password, and bank PIN entered by the user (keylogging) and sends them to the attacker’s C2 server.

Espionage and Remote Control

Frogblight not only steals bank information, but also acts as a fully-fledged spyware:

  • SMS Management: It can read incoming SMS messages (to steal OTPs) and send bulk SMS messages from the victim’s phone without their knowledge (to spread the virus).
  • Contact and File Access: It steals the contact list, call logs, and list of installed applications on the device.
  • Evolving Communication: While the malware used the REST API in its early versions, newer variants have switched to the WebSocket protocol to make it harder to detect.

Additionally, the attacker uses a custom input method to save keystrokes to a file using “com.puzzlesnap.quickgame.CustomKeyboardService“.

Traces of MaaS (Malware as a Service)

Investigations have provided strong evidence suggesting that the actors behind this threat may be Turkish or have a very good understanding of Türkiye.

  • Language Traces: The comment lines in the malware’s source code were found to be in Turkish.
  • Target Focus: The attack infrastructure and fake websites (e.g., e-ifade) were entirely designed to target the Turkish ecosystem.
  • Connection with the Coper: The GitHub accounts used in the distribution of the malware were found to be linked to the previously known Coper banking Trojan.
  • Panel Structure: The admin panel used by the attackers contained the abbreviation “fr0g,” and there were indications that the panel was rented using a MaaS model.

Web Panel

The interface of the web panel used by the attackers to manage their operations has been identified. This panel has advanced features such as listing victim devices, filtering based on the presence of banking applications, and sending bulk SMS commands. The existence and structure of the panel are strong indicators that the malware may be being leased using a MaaS model.

Beyond the fact that the attack was focused on Turkey, the clearest clue regarding the identity of the malware’s developers was found in the source code. The fact that the comments interspersed throughout Frogblight’s code lines are written in Turkish strengthens our belief that the developers speak Turkish and are most likely local actors.

“Coper” Trace on GitHub

Based on current intelligence, it is not possible at this stage to directly attribute Frogblight to a known, named APT group. However, a GitHub profile discovered during the analysis process has changed the course of the investigation:

  • Shared Repositories: The GitHub profile in question contained not only Frogblight code but also repositories containing “Coper” (a known and dangerous banking malware distributed via the MaaS model).
  • Connection Hypothesis: This finding suggests that the profile belongs to the attackers who distributed the Coper malware, and that this group expanded their operations by adding Frogblight to their portfolio. This proves that the attackers have prior experience with mobile banking Trojans.

IOCs

It is recommended that you implement a SIEM rule that triggers an alarm if the following IoCs are blocked by firewalls.

C2 Domains & IPs:

froglive[.]net
1249124fr1241og5121.sa[.]com
45.138.16[.]208[:]8080 (WebSocket connection)

Malware File Names:

e-ifade.apk
ChromeGüncelleme.apk
ChromeGuncelleme.apk

Hashes (MD5):

8483037dcbf14ad8197e7b23b04aea34
105fa36e6f97977587a8298abc31282a
e1cd59ae3995309627b6ab3ae8071e80
115fbdc312edd4696d6330a62c181f35
08a3b1fb2d1abbdbdd60feb8411a12c7
d7d15e02a9cd94c8ab00c043aef55aff
9dac23203c12abd60d03e3d26d372253
877452e3a0580268452e9b47d573a2a1

GitHub Repository (Frogblight phishing landing page source code):

https://github[.]com/eraykarakaya0020/e-ifade-vercel

The URL for the GitHub account containing the APK files for Frogblight and Coper is:

https://github[.]com/Chromeapk

Phishing Distribution URLs:

https://farketmez37[.]cfd/e-ifade.apk
https://farketmez36[.]sbs/e-ifade.apk
https://e-ifade-app-5gheb8jc.devinapps[.]com/e-ifade.apk

Conclusion and Recommendations for Protection Against the Threat

Frogblight is an actively developed threat that combines social engineering with technical skills.

  • Links from Unidentified Sources: Absolutely do not click on SMS links that cause panic, such as those related to “Dava dosyası (Case file)” or “İcra takibi (Enforcement proceedings)“. E-government transactions should only be conducted through the official “turkiye.gov.tr” website or the official mobile application.
  • Application Permissions: A simple application (e.g., a file viewer) requesting SMS sending or accessibility permissions is a major red flag.
  • APK Installation: Avoid app stores other than the Google Play Store and keep the option to install applications from unknown sources disabled.

Author

Cyberthint

Cyberthint is an unified cyber threat intelligence platform. Everything you need is on a single platform! With Cyberthint, you can monitor and identify advanced threats and take early action.

Leave a comment

Your email address will not be published. Required fields are marked *