---
title: "BlankBot Trojan targets Turkish Android users! | Phish Protection"
description: "Turkish Android users are being targeted by the BlankBot banking trojan, a new malware designed to steal sensitive financial data and personal information from mobile devices."
image: "https://phishprotection.com/og/blog/blankbot-trojan-targets-turkish-android-users.png"
canonical: "https://phishprotection.com/blog/blankbot-trojan-targets-turkish-android-users/"
---

Quick Answer

Turkish language speakers are being targeted by a malicious Android program. This program is targeting them with the sole purpose of gaining access to users' sensitive data.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fblankbot-trojan-targets-turkish-android-users%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=BlankBot%20Trojan%20targets%20Turkish%20Android%20users!&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fblankbot-trojan-targets-turkish-android-users%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Fblankbot-trojan-targets-turkish-android-users%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fblankbot-trojan-targets-turkish-android-users%2F&title=BlankBot%20Trojan%20targets%20Turkish%20Android%20users! "Share on Reddit") [ ](mailto:?subject=BlankBot%20Trojan%20targets%20Turkish%20Android%20users!&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Fblankbot-trojan-targets-turkish-android-users%2F "Share via Email") 

![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2024/08/phishing-attack-prevention-8547.jpg) 

Turkish language speakers are being targeted by a [malicious Android program](https://support.google.com/accounts/answer/9924802). This program is targeting them with the sole purpose of gaining access to users’ **sensitive data**.

The malicious program leverages [Web Injections](https://www.ibm.com/docs/en/snips/4.6.0?topic=categories-injection-attacks) to manipulate users into providing sensitive details in the form of screen grabs and keystrokes. **Cyber experts** have named the Trojan as BlankBot and believe that it is still in the developing phase. BlankBot manages to go undetected through anti-malware scanners as well. 

[Cybersecurity](/content/cybersecurity-in-a-nutshell) experts believe that the Trojan developers have enough experience in **Android application** development as well as in ATO or [Account Take Over business](https://www.imperva.com/learn/application-security/account-takeover-ato/). _As per the experts, this group of Trojan developers mimic account pages by leveraging openly available libraries_. 

Basically, these libraries make it easy for the threat actors to copy **legitimate applications** with greater accuracy. The fake [phishing](https://www.techtarget.com/searchsecurity/definition/phishing) page resembles the original ones so closely that users don’t get suspicious at all.

Experts don’t have any clarity yet as to why the group is targeting Turkish people. This is not the first time that Turkey is facing a cyberattack. Of late,[China’s APT41](https://www.darkreading.com/threat-intelligence/china-apt41-targets-global-logistics-utilities)attacked Turkey’s automotive industry and **technology infrastructure**.[India’s SideWinder](https://www.darkreading.com/cyberattacks-data-breaches/sidewinder-strikes-victims-pakistan-turkey-multiphase-polymorphic-attack), too, has been targeting Turkish individuals.

![Phishing attack prevention](https://media.mailhop.org/phishprotection/images/2024/08/phishing-attack-prevention-8547.jpg) 

The Trojan comes equipped with multiple features. _BlankBot asks for permission from the users and then leverages the accessibility features of Android in order to **gain control** of your smartphone_. The moment BlankBot gets access to controls, it starts recording your phone’s screen by using the [MediaProjection API](https://developer.android.com/media/grow/media-projection).

The recording gets saved in the form of JPEG images, which are further sent to some remote server . The accessibility services also enable the malware to spoof your finger swipes. BlankBot allows threat actors to carry out [on-device fraud](https://www.zimperium.com/glossary/on-device-fraud/) (ODF) by manipulating different kinds of user gestures, such as swipes and clicks. BlankBot is also known for its ability to collect **phone contacts**, and SMS texts and create overlays. 

Cybersecurity experts believe that this has not been **developed for espionage**. Rather it’s core purpose is to make easy and quick [monetary gains](https://www.sciencedirect.com/science/article/abs/pii/S0014292122002379). In case the threat actors try using BlankBot for espionage purposes, it can get detected easily in [anti-malware](/content/protection-against-malware/how-to-prevent-malware-attacks) setups. 

_As of now, experts have not been able to zero down upon any specific financial institutions that are the direct target of the **malware**_. Also, the malware has the capacity to target non-Turkish users as well.

A spokesperson from Google said that [Google Play Protect](/phishing/how-something-meant-to-protect-your-mobile-device-is-being-used-to-phish-you) has not yet detected any such malware in their apps. They have advised users to download apps only from the **Play Store** to enhance the level of security.

Cyber experts have advised users to manage their Android permissions with caution. Users should be highly attentive while allowing any kind of permissions, as part of overall [phishing protection](/). _Also, [accessibility permissions](https://www.protectt.ai/risk%5Fand%5Fimpacts%5Fof%5Faccessibility%5Fpermission) require complete attention as they can make your device **remotely accessible** to the threat actors_.

Experts believe that apart from [data theft](https://www.bbc.com/news/articles/cmmm2qpznelo), BlankBot is also able to intercept your text messages, uninstall mandatory applications, mimic **lock patterns**, and collect data from your already installed apps.

## Topics

[ Phishing ](/tags/phishing/) 

![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Protect your inbox from phishing attacks

Real-time email security with 60-day free trial. No credit card required.

[Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) 

## Related Articles

[  Foundational 5m  0ktapus, Okta Breach Helps Attackers Launch Sophisticated Supply Chain Attacks  Sep 5, 2022 ](/blog/0ktapus-okta-breach-helps-attackers-launch-sophisticated-supply-chain-attacks/)[  Foundational 4m  13 Spear Phishing Attacks Examples To Justify Investment For Phishing Prevention Solutions In Your Organization  Aug 1, 2019 ](/blog/13-spear-phishing-attacks-examples-to-justify-investment-for-phishing-prevention-solutions-in-your-organization/)[  Foundational 4m  All 14 centers of Kettering Health were affected by a massive ransomware attack, Major outage in the Ohio medical center  May 23, 2025 ](/blog/14-centers-of-kettering-health-were-affected-by-massive-ransomware-attack-in-ohio-medical-center/)[  Foundational 4m  2021 Phishing Trends You Need To Be Wary Of  Aug 2, 2021 ](/blog/2021-phishing-trends-to-be-wary-of/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"BlankBot Trojan targets Turkish Android users!","description":"Turkish Android users are being targeted by the BlankBot banking trojan, a new malware designed to steal sensitive financial data and personal information from mobile devices.","url":"https://phishprotection.com/blog/blankbot-trojan-targets-turkish-android-users/","datePublished":"2024-08-08T10:45:38.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2024-08-08T10:45:38.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/blankbot-trojan-targets-turkish-android-users/"},"articleSection":"foundational","keywords":"Phishing","wordCount":562,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2024/08/phishing-attack-prevention-8547.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://phishprotection.com/foundational/"},{"@type":"ListItem","position":4,"name":"BlankBot Trojan targets Turkish Android users!","item":"https://phishprotection.com/blog/blankbot-trojan-targets-turkish-android-users/"}]}
```