Cybersecurity researchers have flagged a previously undocumented Android banking trojan called Datzbro that can conduct device takeover (DTO) attacks and perform fraudulent transactions by preying on the elderly.
Dutch mobile security company ThreatFabric said it discovered the campaign in August 2025 after users in Australia reported scammers managing Facebook groups promoting “active senior trips.” Some of the other territories targeted by the threat actors include Singapore, Malaysia, Canada, South Africa, and the U.K.
The campaigns, it added, specifically focused on elderly people looking for social activities, trips, in-person meetings, and similar events. These Facebook groups have been found to share artificial intelligence (AI)-generated content, claiming to organize various activities for seniors.
Should prospective targets express willingness to participate in these events, they are subsequently approached via Facebook Messenger or WhatsApp, where they are asked to download an APK file from a fraudulent link (e.g., “download.seniorgroupapps[.]com”).
“The fake websites prompted visitors to install a so-called community application, claiming it would allow them to register for events, connect with members, and track scheduled activities,” ThreatFabric said in a report shared with The Hacker News.
Interestingly, the websites have also been found to contain placeholder links to download an iOS application, indicating that the attackers are looking to target both the mobile operating systems, distributing TestFlight apps for iOS and trick victims into downloading them.
Should the victim click on the button to download the Android application, it either leads to the direct deployment of the malware on their devices, or that of a dropper that’s built using an APK binding service dubbed Zombinder to bypass security restrictions on Android 13 and later.
Some of the Android apps that have been found distributing Datzbro are listed below –
- Senior Group (twzlibwr.rlrkvsdw.bcfwgozi)
- Lively Years (orgLivelyYears.browses646)
- ActiveSenior (com.forest481.security)
- DanceWave (inedpnok.kfxuvnie.mggfqzhl)
- 作业帮 (io.mobile.Itool)
- 麻豆传媒 (fsxhibqhbh.hlyzqkd.aois
- 麻豆传媒 (mobi.audio.aassistant)
- 谷歌浏览器 (tvmhnrvsp.zltixkpp.mdok)
- MT管理器 (varuhphk.vadneozj.tltldo)
- MT管理器 (spvojpr.bkkhxobj.twfwf)
- 大麦 (mnamrdrefa.edldylo.zish)
- MT管理器 (io.red.studio.tracker)
The malware, like other Android banking trojans, has a wide range of capabilities to record audio, capture photos, access files and photos, and conduct financial fraud through remote control, overlay attacks, and keylogging. It also relies on Android’s accessibility services to perform remote actions on the victim’s behalf.
A notable feature of Datzbro is the schematic remote control mode, which allows the malware to send information about all the elements displayed on the screen, their position, and content, so as to allow the operators to re-create the layout at their end and effectively commandeer the device.
The banking trojan can also serve as a semi-transparent black overlay with custom text so as to hide the malicious activity from a victim, as well as steal the device lock screen PIN and passwords associated with Alipay and WeChat. Furthermore, it scans accessibility event logs for package names related to banks or cryptocurrency wallets, and for text containing passwords, PINs, or other codes.
“Such a filter clearly shows the focus of the developers behind Datzbro, not only using its Spyware capabilities, but also turning it into a financial threat,” ThreatFabric said. “With the help of keylogging capabilities, Datzbro can successfully capture login credentials for mobile banking applications entered by unsuspecting victims.”
It’s believed that Datzbro is the work of a Chinese-speaking threat group, given the presence of Chinese debug and logging strings in the malware source code. The malicious apps have been found to be connected to a command-and-control (C2) backend that’s a Chinese-language desktop application, making it stand apart from other malware families that rely on web-based C2 panels.
ThreatFabric said a compiled version of the C2 app has been uploaded to a public virus share, suggesting that the malware may have been leaked and is being distributed freely among cybercriminals.
“The discovery of Datzbro highlights the evolution of mobile threats targeting unsuspecting users through social engineering campaigns,” the company said. “By focusing on seniors, fraudsters exploit trust and community-oriented activities to lure victims into installing malware. What begins as a seemingly harmless event promotion on Facebook can escalate into device takeover, credential theft, and financial fraud.”
The disclosure comes as IBM X-Force detailed an AntiDot Android banking malware campaign codenamed PhantomCall that has targeted users of major financial institutions globally, spanning Spain, Italy, France, the U.S., Canada, the U.A.E., and India, using fake Google Chrome dropper apps that can get around Android 13’s controls that prevent sideloaded apps from exploiting accessibility APIs.
According to an analysis published by PRODAFT in June 2025, AntiDot is attributed to a financially motivated threat actor called LARVA-398 and is available to others under a Malware-as-a-Service (MaaS) model on underground forums.
The latest campaign is designed to make use of the CallScreeningService API to monitor incoming calls and selectively block them based on a dynamically generated list of phone numbers stored in the phone’s shared preferences, effectively allowing the attackers to prolong unauthorized access, complete fraudulent transactions, or delay detection.
“PhantomCall also enables attackers to initiate fraudulent activity by silently sending USSD codes to redirect calls, while abusing Android’s CallScreeningService to block legitimate incoming calls, effectively isolating victims and enabling impersonation,” security researcher Ruby Cohen said.
“These capabilities play a critical role in orchestrating high-impact financial fraud by cutting off victims from real communication channels and enabling attackers to act on their behalf without raising suspicion.”
Update
Google shared the below statement with The Hacker News following the publication of the story –
Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.
(The story was updated after publication to include a response from Google.)
