An infostealer and banking Trojan rolled into one is making the rounds in Facebook groups aimed at “active seniors”.
Attackers used social engineering methods to lure targets into joining fake Facebook groups that appeared to promote travel and community activities—such as trips, dance classes, and community gatherings. Once people joined, they were invited to download an Android app to “register” for those offered activities.
Researchers at ThreatFabric found numerous Facebook groups created under this pretense, stocked with AI-generated content to appear authentic and trick users into downloading the malware. App names included Senior Group, Lively Years, ActiveSenior, and DanceWave. In some cases, victims were also asked to pay a sign-up fee on the same website, leading to phishing and card detail theft.
One of the servers hosting these downloads was located at download.seniorgroupapps[.]com.
Sometimes the cybercriminals sent a follow-up message through Messenger or WhatsApp, sharing the download links for the malicious apps.
Often this would be the Datzbro Trojan, but sometimes victims were hit with Zombinder, a Trojan dropper capable of bypassing the security restrictions Google introduced in Android 13 and later versions.
What Datzbro can do
The researchers found that Datzbro had capabilities similar to both spyware and banking Trojans—specifically designed to drain bank accounts.
Once installed, this Android malware can:
- Record audio and video, and access files and photos.
- Display phishing overlays that mimic other apps to steal passwords and send them to the attackers.
- Let attackers remotely control infected Android devices, including locking or unlocking the screen.
Researchers analyzed the code and suspect that it was likely developed in China, but later leaked and was reused by broader cybercriminal groups. The campaign has reached victims worldwide, including Australia, Singapore, Malaysia, Canada, South Africa, and the UK.
How to stay safe in Facebook groups
Although many of the Facebook groups involved in this campaign have been taken down, there might be others. To protect yourself:
- Check a Facebook group’s history and avoid those might have freshly set up for malicious purposes. Unfortunately, it’s not possible to check the age of a group before you join, but once you’re a member, look at the dates of historical posts or pinned posts.
- Don’t click on links or install apps provided by such groups or by private messages from people you don’t really know.
- Use up-to-date real-time anti-malware protection, especially on your mobile devices.
- Be wary of groups offering suspicious or too-good-to-be-true promises.
- Check a group’s description and rules for professionalism or red flags.
It’s worth noting that many of the groups also included a button to download an “iOS application.” These were just placeholders at the time, but might be an indication that there are plans to target iPhone users as well.
Indicators of Compromise (IOCs)
The malicious app used these names:
Senior Group
Lively Years
ActiveSenior
DanceWave
and these package names:
twzlibwr.rlrkvsdw.bcfwgozi
orgLivelyYears.browses646
com.forest481.security
inedpnok.kfxuvnie.mggfqzhl
We don’t just report on phone security—we provide it
Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.
