Senior Travel Scams Used by Threat Actors to Distribute Datzbro Malware

In August 2025, Australian authorities issued multiple scam alerts after users reported suspicious Facebook groups promoting “active senior trips.”

What initially appeared as harmless community gatherings concealed a sophisticated mobile malware operation.

ThreatFabric researchers uncovered that these groups were managed by fraudsters who lured seniors into downloading a malicious Android Trojan they have dubbed “Datzbro.”

This report details how the campaign operated, the capabilities of Datzbro, and why its global availability poses a significant threat.

The campaign targeted seniors seeking social activities, trips, and in-person events. Fraudsters created numerous Facebook groups filled with AI-generated posts announcing dance events, day trips, and other gatherings.

Though the content appeared genuine, it was tailored to appeal to seniors and prompted interested users to join private messaging channels.

Reports indicate that groups aimed at audiences across Australia also appeared in Singapore, Malaysia, Canada, South Africa, and the United Kingdom, all featuring nearly identical messaging style and visuals.

Once victims expressed interest, scammers contacted them via Facebook Messenger or WhatsApp. Victims received links to download a so-called “community application” that purportedly allowed event registration, member connections, and schedule tracking.

In some instances, a nominal sign-up fee was requested, leading to payment-card theft via phishing sites. While iOS links led to inactive placeholders, Android victims who clicked the Google Play button were served a malicious APK.

Datzbro’s Arrival

Analysis by ThreatFabric’s Mobile Threat Intelligence team revealed that the downloaded APK was a new Device-Takeover Trojan, named “Datzbro” after an embedded string in its code.

The malware combines traditional spyware features—audio recording, camera capture, file and photo access—with advanced remote-control abilities.

These capabilities enable financial fraud through “black overlay” attacks and keylogging, effectively blurring the line between spyware and banking Trojan.

Datzbro leverages Android’s Accessibility Services to execute automated gestures and global actions, including Home and Back button simulations. Through its command-and-control interface, operators can:

• Start or stop remote screen sharing and control.
• Enable or disable a semi-transparent overlay to conceal malicious actions.
• Lock or unlock the device.
• Activate “schematic” remote control, which reconstructs screen elements based on Accessibility event data for precise interaction even under poor video streaming quality.

In schematic mode, the malware transmits a structured representation of screen elements—positions, labels, and content—enabling operators to interact seamlessly with apps while hiding behind a black or customized overlay.

Banking and Crypto Targeting

Though lacking the full overlay toolkit of classic banking Trojans, Datzbro includes hardcoded filters for banking and crypto apps.

The malware monitors Accessibility events for package names containing keywords such as “bank,” “pay,” “alipay,” “wallet,” and “finance,” as well as event text containing “password,” “pin,” or language-specific verification terms.

When triggered, Datzbro displays fake credential-entry screens asking victims for banking PINs and passwords. It also intercepts device PIN, pattern, or password entries, capturing all sensitive authentication data.

Further investigation uncovered a leaked Command-and-Control desktop application and builder for Datzbro, now freely available on public virus-sharing platforms.

Mobile Threat Intelligence identified samples named “最强远控.apk” (“The most powerful remote control”) and Chinese-language debug strings, indicating the developers’ origin.

The desktop C2 interface, unlike common web-based panels, suggests a unique operational model and confirms the malware’s roots in Chinese-speaking cybercriminal communities.

Mitigations

By combining AI-generated content, social platform manipulation, and cutting-edge malware features such as black overlays and schematic control, threat actors have created a potent financial threat against vulnerable seniors.

A campaign that begins with a friendly Facebook invitation can culminate in full device takeover, credential theft, and wire fraud.

As Datzbro spreads globally, raising awareness among seniors and community organizations is critical. Financial institutions and cybersecurity stakeholders must warn users about downloading unverified apps promoted through social media.

Enhanced scrutiny of Accessibility Service permissions and vigilant reporting of suspicious online groups can help break the chain from social scam to mobile malware infection.

Indicators of Compromise

Here is the information in a clear tabular format:

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.