Datzbro Banking Trojan

Cybersecurity researchers have recently uncovered a previously undocumented Android banking trojan named Datzbro, designed to perform device takeover (DTO) attacks and conduct fraudulent financial transactions. The malware primarily targets elderly users, exploiting their trust through social media-based social engineering campaigns.

Social Engineering Through Facebook Groups

The campaign was first detected in August 2025 after reports from Australian users. Threat actors managed Facebook groups promoting 'active senior trips,' targeting elderly individuals interested in social activities, events, and in-person gatherings. Additional regions affected include Singapore, Malaysia, Canada, South Africa, and the U.K.

These Facebook groups frequently share AI-generated content, claiming to organize events for seniors. If a target expresses interest, attackers approach them via Facebook Messenger or WhatsApp, prompting them to download an APK file from a fraudulent link (e.g., download.seniorgroupapps.com).

The fake websites promote a so-called community application, claiming it would allow seniors to:

• Register for events and activities.
• Connect with other group members.
• Track upcoming schedules.

Some sites even contain placeholder links for an iOS app, suggesting the attackers aim to target both Android and iOS users, distributing TestFlight apps for iOS in an attempt to trick victims.

How Datzbro Infects Devices

When a victim downloads the Android app, it either:

• Installs the malware directly on the device, or
• Deploys a dropper created with Zombinder, an APK binding service that bypasses security restrictions on Android 13 and later.

Several malicious apps have been identified distributing Datzbro, including:

• Senior Group (twzlibwr.rlrkvsdw.bcfwgozi)
• Lively Years (orgLivelyYears.browses646)
• ActiveSenior (com.forest481.security)
• DanceWave (inedpnok.kfxuvnie.mggfqzhl)
• 作业帮 (io.mobile.Itool)
• 麻豆传媒 (fsxhibqhbh.hlyzqkd.aois)
• 麻豆传媒 (mobi.audio.aassistant)
• 谷歌浏览器 (tvmhnrvsp.zltixkpp.mdok)
• MT管理器 (varuhphk.vadneozj.tltldo)
• MT管理器 (spvojpr.bkkhxobj.twfwf)
• 大麦 (mnamrdrefa.edldylo.zish)
• MT管理器 (io.red.studio.tracker)

Capabilities and Financial Threats

Datzbro possesses a wide array of spyware and financial fraud functionalities, including:

• Recording audio and capturing photos.
• Accessing files and photos.
• Conducting overlay attacks, keylogging, and remote device control.
• Using Android accessibility services to perform automated actions on the victim’s behalf.

A standout feature is its schematic remote control mode, which sends detailed information about all screen elements, their position, and content to the attackers. This allows them to replicate the interface and fully control the device remotely.

Additionally, Datzbro can:

• Display semi-transparent overlays with custom text to hide malicious activity.
• Steal device lock screen PINs and passwords for Alipay and WeChat.
• Scan accessibility event logs for banking or cryptocurrency wallet apps and extract credentials.

These functions highlight the malware’s focus on financial gain, turning what begins as spyware into a sophisticated threat for stealing sensitive banking information.

Attribution and Command-and-Control Infrastructure

Analysis suggests Datzbro is linked to a Chinese-speaking threat group, as evidenced by Chinese debugging and logging strings in the malware’s source code. Unlike many malware families that rely on web-based C2 panels, Datzbro connects to a Chinese-language desktop application for command-and-control operations.

A compiled version of this C2 app has been leaked to a public virus repository, indicating the malware may now be freely distributed among cybercriminals, increasing its potential reach.

Implications for Mobile Security

The discovery of Datzbro illustrates the evolution of mobile threats, particularly those exploiting social engineering to target vulnerable populations. By focusing on seniors and leveraging seemingly benign Facebook events, attackers can escalate a simple social interaction into device takeover, credential theft, and financial fraud.

This campaign highlights the importance of vigilance in mobile security, particularly for elderly users who may be targeted via trust-based social networks.