Cybersecurity researchers have uncovered a sophisticated Android malware campaign targeting seniors through fraudulent travel and social activity promotions on Facebook.
The newly identified Datzbro malware represents a dangerous evolution in mobile threats, combining advanced spyware capabilities with remote access tools designed to facilitate financial fraud.
This campaign, first detected in August 2025, has expanded beyond Australia to target users across Singapore, Malaysia, Canada, South Africa, and the United Kingdom, demonstrating the global reach of these malicious operations.
The attack begins with threat actors creating numerous Facebook groups promoting “active senior trips,” dance events, and social gatherings specifically tailored to appeal to older adults seeking community activities.
These groups feature sophisticated content generated using artificial intelligence, creating convincing promotional materials that successfully attract genuine interest from potential victims.
The consistent appearance and messaging across groups targeting different geographical regions suggests coordination by a single threat actor or organized group operating at scale.
Fraudsters operating these groups contact interested victims through private messaging platforms including Facebook Messenger and WhatsApp, where they share links to download specialized applications purportedly required for event registration.
ThreatFabric analysts identified this malware distribution mechanism after investigating multiple scam alerts reported across affected regions.
The researchers discovered that victims were often asked to pay registration fees through the same malicious websites, creating additional opportunities for credential theft and financial fraud beyond the malware installation.
.webp)
The fake websites employed in these campaigns prompt visitors to install what appears to be a legitimate community application, claiming it enables event registration, member connections, and activity tracking.
While the iOS application buttons currently serve as non-functional placeholders, researchers warn these could later be updated to distribute WebClip or TestFlight applications designed to steal credentials and payment information.
.webp)
However, clicking the Google Play button immediately triggers the download of malicious APK files containing either Datzbro directly or the Zombinder dropper, specifically designed to bypass Android 13+ security restrictions.
Advanced Remote Access and Financial Targeting Capabilities
Datzbro employs sophisticated remote access technologies that distinguish it from conventional mobile malware families.
The malware leverages Android Accessibility Services to execute remote actions on behalf of operators, supporting comprehensive device control including screen sharing, interface interaction, and file management.
Each operator command corresponds to specific gestures or system functions, enabling threat actors to simulate button clicks, navigate applications, and perform complex interactions while remaining undetected by victims.
The malware’s “schematic” remote control mode represents a particularly innovative approach to device manipulation.
This feature creates basic screen layout representations using Accessibility event data, transmitting information about displayed elements, their positions, and content to command and control servers.
Operators can recreate the device interface on their systems, enabling effective control even when video streaming quality is poor or when black overlay attacks are active.
This dual-control mechanism ensures consistent access regardless of network conditions or defensive countermeasures.
Datzbro incorporates advanced evasion techniques including customizable black overlay attacks that hide fraudulent activities from victims.
Operators can adjust overlay transparency levels and display custom text messages, creating the impression that devices are idle or experiencing normal system updates.
While victims see opaque overlays preventing interaction observation, operators maintain semi-transparent views enabling continued device control.
This sophisticated visual deception allows financial transactions and credential harvesting to occur without victim awareness, significantly increasing attack success rates.
The malware specifically targets banking and cryptocurrency applications through hardcoded filtering systems that monitor Accessibility events for financial keywords including “bank,” “pay,” “wallet,” and “finance.”
Chinese language variants targeting “密码验证” (password verification) and “验证码” (verification code) demonstrate the malware’s multilingual capabilities and global targeting scope.
This focused approach to financial application monitoring, combined with keylogging capabilities and credential theft activities, positions Datzbro as a significant banking Trojan capable of comprehensive financial fraud operations against unsuspecting victims worldwide.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
