Datzbro Trojan: Spyware-Banking Malware Hijacks Seniors’ Devices with Fake Facebook Lures
Ddos 
Image: ThreatFabric
ThreatFabric researchers uncovered a sophisticated scam campaign that weaponizes social engineering and mobile malware to exploit one of society’s most vulnerable groups: seniors. The campaign not only tricks victims into joining fake Facebook groups but also delivers a newly discovered Android Trojan named Datzbro—a hybrid spyware and banking malware with dangerous remote-control capabilities.
The campaign began with fake Facebook groups promoting “active senior trips” and other community activities. According to ThreatFabric, “Our research revealed numerous Facebook groups filled with AI-generated content, pretending to organize activities for seniors. We found that not only Australia was targeted, but also users in Singapore, Malaysia, Canada, South Africa, and the UK.”
These groups, populated with AI-generated images and appealing descriptions, lured victims into joining. Once interested, users were contacted through Messenger or WhatsApp and urged to download a “community application” to register for events.
But instead of a legitimate app, clicking the “Google Play” button triggered the installation of Datzbro—either directly or via the Zombinder dropper, a tool designed to bypass Android 13+ restrictions.
ThreatFabric’s Mobile Threat Intelligence team named the malware Datzbro, referencing a string found within the code. Researchers describe it as “a broad set of capabilities with a focus on spyware activity, such as audio recording, camera capture, and access to files and photos. However, its feature set is sufficient to conduct financial fraud through remote control, ‘black overlay’ attacks, and keylogging — making it a significant threat to users worldwide.”
Some of its most alarming functions include:
- Remote screen sharing & control (operators can simulate gestures, clicks, and actions).
- Black overlay attacks, hiding fraudulent activity behind fake screens.
- Schematic remote control mode, reconstructing the victim’s screen layout for interaction even when screen streaming is poor.
- Accessibility logging specifically filtering for banking and crypto-related apps.
The malware explicitly targets apps like Alipay, WeChat, and any service containing “bank,” “wallet,” “finance,” or “verify” in accessibility events. As ThreatFabric notes, “Such a filter clearly shows the focus of the developers behind Datzbro, not only using its Spyware capabilities, but also turning it into a financial threat.”
Analysis of the malware’s source code and infrastructure points to a Chinese origin. “The analysis of the malware source code reveals a lot of debug/logging strings written in Chinese,” researchers explain, adding that samples even carried the name “最强远控.apk” (“The most powerful remote control”).
Unlike most modern banking Trojans, Datzbro’s command-and-control (C2) panel is a desktop application, not web-based. ThreatFabric also discovered that the C2 application and builder were leaked online, making Datzbro freely available to cybercriminals worldwide. “This leads us to a hypothesis that malware was leaked and is distributed freely amongst cybercriminals,” the report states
The blending of social engineering, AI-generated content, and advanced malware techniques makes Datzbro particularly dangerous. What begins as a harmless-looking event invitation for seniors escalates into device takeover, credential theft, and financial fraud.
As ThreatFabric concludes, “With its spyware functionality, remote access tools, and growing focus on banking apps, Datzbro represents a significant step in the blending of spyware and banking Trojan capabilities. The use of AI-generated content, social platforms, and advanced technical tricks … demonstrates the sophistication of today’s mobile fraud campaigns.”
Related Posts:
- Urgent Alert: “Free Wedding Invite” Scam Targets Senior Citizens, Steals Sensitive Data
- Beyond Scambaiting: YouTubers Help DOJ Bust a $65 Million Fraud Ring
- ThreatFabric Reveals Dangerous Upgrades in LightSpy Spyware – 28 Plugins Targeting iOS Devices
- Apple Leadership Shake-Up: Tim Cook Expected to Stay 5 More Years as Generational Transition & AI Challenges Loom
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
