Datzbro Trojan: Spyware-Banking Malware Hijacks Seniors’ Devices with Fake Facebook Lures
Fraudsters have discovered a new method of targeting elderly users by exploiting fake Facebook events and a malicious Android application known as Datzbro. This program masquerades as a legitimate service but enables attackers to seize full control of the device, granting them access to personal data and banking applications. The campaign, uncovered in August 2025 by ThreatFabric researchers, has spread across Australia, Singapore, Malaysia, Canada, South Africa, and the United Kingdom.
The primary targets are older individuals drawn to travel and social activities. To lure victims, criminals create counterfeit social media groups filled with AI-generated content. Once trust is established, users are redirected to Messenger or WhatsApp, where they are persuaded to install a so-called “community app” for registration, communication, and event schedules. In reality, these links deliver malicious APK files. In some cases, placeholder links for iOS were also observed, suggesting plans to extend the operation to Apple devices.
The Android apps distributing Datzbro carry names such as “Senior Group,” “Lively Years,” “ActiveSenior,” and even counterfeit versions of Chinese services. Some leverage Zombinder, a service that binds malicious code with legitimate components, allowing the malware to bypass restrictions in Android 13 and newer versions. This technique ensures that the trojan installs without raising suspicion.
The malware itself offers a broad arsenal of functions: it can capture screenshots and audio, browse files and photos, hijack screen control, log keystrokes, and operate the device as if it were the user. It exploits Android’s accessibility services to seize control, analyze on-screen content, and even replicate the device’s interface remotely for the operator.
Datzbro also employs deceptive overlays — semi-transparent black screens with text — to conceal its activity, while stealing lockscreen PINs and credentials for services like Alipay and WeChat. It scans for package names linked to banking apps and cryptocurrency wallets, as well as any text containing passwords or access codes, effectively turning the malware into a powerful tool for financial fraud.
The code of Datzbro includes Chinese-language debugging and logging strings, while its control system is implemented as a desktop application in Chinese — distinguishing it from many other trojans that rely on web-based dashboards. ThreatFabric reports that one version of its C2 application surfaced in a public malware repository, suggesting a possible leak that could accelerate its spread among cybercriminals.
The discovery of Datzbro coincided with the emergence of another mobile threat — PhantomCall, tied to the AntiDot campaign and analyzed by IBM X-Force and PRODAFT. PhantomCall disguises itself as a fake Chrome browser and is capable of blocking calls, manipulating them via USSD, and concealing its presence. It leverages the CallScreeningService API, allowing attackers to isolate victims from legitimate calls while exploiting their data to deceive banking systems.
The growing sophistication of such operations underscores just how vulnerable social platforms and unsuspecting users remain — particularly when technology is weaponized not for protection, but for manipulation.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
