Cybersecurity researchers have flagged a previously undocumented Android Banking Trojan called Datzbro, which allows them to perform device takeover (DTO) attacks, prey on older people and engage in fraudulent transactions.
The Dutch mobile security company threat said it discovered the campaign in August 2025 after reporting a scammer who manages Facebook groups that promote “active advanced travel.” Other regions targeted by threat actors include Singapore, Malaysia, Canada, South Africa and the UK.
The campaign added that it will focus on seniors looking for social activities, travel, face-to-face meetings and similar events. These Facebook groups have been found to share artificial intelligence (AI)-generated content, claiming to organize a variety of activities aimed at seniors.
If a future target expresses his willingness to participate in these events, they will then be approached via Facebook Messenger or WhatsApp, where they will be asked to download the APK file from the malformed link (e.g. “Download. SeniorGroupApps[.]com “).
“The fake websites claim that visitors can encourage them to install so-called community applications, register for events, connect with members, and track scheduled activities,” Threatfabric said in a report they share with Hacker News.
Interestingly, I found that the website contains placeholder links to download iOS applications. This shows that the attacker is targeting both mobile operating systems, delivering the TestFlight app for iOS, and trying to trick and download the victim.
When the victim clicks a button to download the Android application, it leads to direct deployment of malware on the device, or a Dropper built using an APK binding service called Zombinder will bypass security restrictions on Android 13 and above.
Some of the Android apps where the distribution of Datzbro was found are listed below –
Senior Group (twzlibwr.rlrkvsdw.bcfwgozi) Lively Years (orglivelyyears.Browses646) ActivesEnior (com.forest481.security) dancewave (inedpnok.kfxuvnie.mggfqzhl) (fsxhibqhbh.hlyzqkd.aois Madou Ryomi (mobi.audio.aassistant) Tani Uta Gassen (tvmhnrvsp.zltixkpp.mdok) MT Manager (varuhphk.vadneozj.tltldo) MT Manager (spvojpr.bkkhxobj.twfwf) Barley (mnamrdrefa.edldylo.zish) MT Manager (io.red.studio.tracker)
Malware, like other Android Banking Trojans, has a wide range of capabilities to record audio, capture photos, capture files and photos, and carry out financial fraud via remote control, overlay attacks, and keylogs. It also relies on Android accessibility services to perform remote actions on behalf of the victim.
A notable feature of Datzbro is its general remote control mode. This allows the malware to send information about all elements that appear on the screen, location, and content, allowing the operator to finally recreate the layout and effectively direct the device.
The bank’s Trojans also act as a translucent black overlay with custom text to hide malicious activity from victims and steal lock screen pins and passwords for devices related to Alipay and WeChat. Additionally, it scans accessibility event logs for text that contain package names related to banks and cryptocurrency wallets, as well as passwords, pins, or other codes.
“These filters clearly illustrate the developer’s focus behind Datzbro, which not only uses Spyware capabilities, but also turns it into a financial threat,” Threatfabric said. “With the help of the keylogging feature, Datzbro can successfully capture login credentials for mobile banking applications entered by unsuspecting victims.”
Datzbro is considered to be the job of a Chinese-speaking threat group, given the presence of Chinese debugging and logging strings in the malware source code. Malicious apps are known to be connected to the Chinese desktop application Command and Control (C2) backend, and are separated from other malware families that rely on web-based C2 panels.
Threatfabric says that the edited version of the C2 app is leaking to public virus shares, suggesting that malware has been leaked and could be distributed freely among cybercriminals.
“Datzbro’s discovery highlights the evolution of mobile threats targeting unsuspecting users through its social engineering campaign,” the company said. “By focusing on seniors, fraudsters leverage trust and community-oriented activities to invite victims to place malware. What starts as a seemingly harmless event promotion on Facebook can escalate to device acquisitions, qualification theft and financial fraud.”
Disclosures are made as detailed by IBM X-Force, which can avoid Android 13 across Spain, Italy, France, the US, Canada, the United Arab Emirates and India, and the Antidot Android Banking Malware campaign, known as the codename of the Antidot Android Banking Malware campaign targeting users of major financial institutions globally, using the Google Chrome Dropper app that can prevent access using Android 13.
According to an analysis published by Prodaft in June 2025, Antidot is attributed to a financially motivated threat actor called Larva-398, which is available to others under the Service as Malware (MAAS) model in underground forums.
The latest campaigns are designed to use the CallScreeningservice API to monitor incoming calls and selectively block them based on a list of dynamically generated phone numbers stored in your phone sharing settings, allowing attackers to prolong unauthorized access, complete unauthorized transactions, or delay detection.
“Phantomcall allows attackers to initiate cheating by sending ssd code undirected to redirect calls. Meanwhile, they abuse Callscreeningservice on Android to block legal incoming calls, effectively isolating victims and allowing for spoofing.
“These capabilities play a key role in coordinating high-impact financial fraud by blocking victims from actual communication channels and allowing attackers to act on their behalf without raising doubt.”
Source link
