Cybersecurity researchers have flagged a beforehand undocumented Android banking trojan referred to as Datzbro that may conduct system takeover (DTO) assaults and carry out fraudulent transactions by preying on the aged.
Dutch cell safety firm ThreatFabric stated it found the marketing campaign in August 2025 after customers in Australia reported scammers managing Fb teams selling “lively senior journeys.” A few of the different territories focused by the risk actors embody Singapore, Malaysia, Canada, South Africa, and the U.Ok.
The campaigns, it added, particularly targeted on aged folks in search of social actions, journeys, in-person conferences, and related occasions. These Fb teams have been discovered to share synthetic intelligence (AI)-generated content material, claiming to prepare varied actions for seniors.
Ought to potential targets specific willingness to take part in these occasions, they’re subsequently approached through Fb Messenger or WhatsApp, the place they’re requested to obtain an APK file from a fraudulent hyperlink (e.g., “obtain.seniorgroupapps[.]com”).
“The pretend web sites prompted guests to put in a so-called group software, claiming it might enable them to register for occasions, join with members, and observe scheduled actions,” ThreatFabric stated in a report shared with The Hacker Information.
Curiously, the web sites have additionally been discovered to comprise placeholder hyperlinks to obtain an iOS software, indicating that the attackers want to goal each the cell working methods, distributing TestFlight apps for iOS and trick victims into downloading them.
Ought to the sufferer click on on the button to obtain the Android software, it both results in the direct deployment of the malware on their gadgets, or that of a dropper that is constructed utilizing an APK binding service dubbed Zombinder to bypass safety restrictions on Android 13 and later.
A few of the Android apps which were discovered distributing Datzbro are listed beneath –
Senior Group (twzlibwr.rlrkvsdw.bcfwgozi)
Energetic Years (orgLivelyYears.browses646)
ActiveSenior (com.forest481.safety)
DanceWave (inedpnok.kfxuvnie.mggfqzhl)
作业帮 (io.cell.Itool)
麻豆传媒 (fsxhibqhbh.hlyzqkd.aois
麻豆传媒 (mobi.audio.aassistant)
谷歌浏览器 (tvmhnrvsp.zltixkpp.mdok)
MT管理器 (varuhphk.vadneozj.tltldo)
MT管理器 (spvojpr.bkkhxobj.twfwf)
大麦 (mnamrdrefa.edldylo.zish)
MT管理器 (io.pink.studio.tracker)
The malware, like different Android banking trojans, has a variety of capabilities to document audio, seize pictures, entry recordsdata and pictures, and conduct monetary fraud by distant management, overlay assaults, and keylogging. It additionally depends on Android’s accessibility companies to carry out distant actions on the sufferer’s behalf.
A notable function of Datzbro is the schematic distant management mode, which permits the malware to ship details about all the weather displayed on the display, their place, and content material, in order to permit the operators to re-create the format at their finish and successfully commandeer the system.
The banking trojan can even function a semi-transparent black overlay with customized textual content in order to cover the malicious exercise from a sufferer, in addition to steal the system lock display PIN and passwords related to Alipay and WeChat. Moreover, it scans accessibility occasion logs for package deal names associated to banks or cryptocurrency wallets, and for textual content containing passwords, PINs, or different codes.
“Such a filter clearly exhibits the main focus of the builders behind Datzbro, not solely utilizing its Spy ware capabilities, but additionally turning it right into a monetary risk,” ThreatFabric stated. “With the assistance of keylogging capabilities, Datzbro can efficiently seize login credentials for cell banking purposes entered by unsuspecting victims.”
It is believed that Datzbro is the work of a Chinese language-speaking risk group, given the presence of Chinese language debug and logging strings within the malware supply code. The malicious apps have been discovered to be linked to a command-and-control (C2) backend that is a Chinese language-language desktop software, making it stand aside from different malware households that depend on web-based C2 panels.
ThreatFabric stated a compiled model of the C2 app has been leaked to a public virus share, suggesting that the malware could have been leaked and is being distributed freely amongst cybercriminals.
“The invention of Datzbro highlights the evolution of cell threats focusing on unsuspecting customers by social engineering campaigns,” the corporate stated. “By specializing in seniors, fraudsters exploit belief and community-oriented actions to lure victims into putting in malware. What begins as a seemingly innocent occasion promotion on Fb can escalate into system takeover, credential theft, and monetary fraud.”
The disclosure comes as IBM X-Power detailed an AntiDot Android banking malware marketing campaign codenamed PhantomCall that has focused customers of main monetary establishments globally, spanning Spain, Italy, France, the U.S., Canada, the U.A.E., and India, utilizing pretend Google Chrome dropper apps that may get round Android 13’s controls that stop sideloaded apps from exploiting accessibility APIs.
In accordance with an evaluation revealed by PRODAFT in June 2025, AntiDot is attributed to a financially motivated risk actor referred to as LARVA-398 and is offered to others underneath a Malware-as-a-Service (MaaS) mannequin on underground boards.
The newest marketing campaign is designed to utilize the CallScreeningService API to observe incoming calls and selectively block them based mostly on a dynamically generated checklist of telephone numbers saved within the telephone’s shared preferences, successfully permitting the attackers to extend unauthorized entry, full fraudulent transactions, or delay detection.
“PhantomCall additionally allows attackers to provoke fraudulent exercise by silently sending USSD codes to redirect calls, whereas abusing Android’s CallScreeningService to dam professional incoming calls, successfully isolating victims and enabling impersonation,” safety researcher Ruby Cohen stated.
“These capabilities play a crucial function in orchestrating high-impact monetary fraud by chopping off victims from actual communication channels and enabling attackers to behave on their behalf with out elevating suspicion.”
