ThreatFabric uncovers ‘Datzbro’ Android trojan targeting seniors via AI-generated Facebook travel scams

Attackers lure seniors through fake Facebook groups using AI-generated posts, directing them to install a fraudulent app that delivers Datzbro malware, enabling remote device control, data theft, keylogging, and credential harvesting via advanced spyware and banking fraud capabilities

Cybersecurity researchers have identified a new Android banking trojan, dubbed Datzbro, that enables full device takeover and preys on elderly users through fake Facebook groups, ThreatFabric said. The campaign surfaced in August 2025 after reports from Australia and has also targeted Singapore, Malaysia, Canada, South Africa and the UK.

Targeting seniors with social engineering

Attackers set up convincing Facebook communities advertising trips, classes and social meetups, often using AI-generated posts to appear authentic. Interested seniors are contacted via Messenger or WhatsApp and directed to fraudulent sites offering a “community” app; downloading the Android package installs Datzbro directly or via a dropper that uses an APK-binding service called Zombinder to evade protections on Android 13 and later.

Capabilities and risks

Once active, Datzbro combines spyware and banking-fraud features: it records audio, captures images, accesses files, logs keystrokes and remotely controls devices through Android accessibility services. A notable “schematic remote control” mode sends a map of on-screen elements to operators so they can reproduce interfaces and operate the device remotely. The malware can display semi-transparent overlays to hide malicious actions and harvest lock-screen PINs and credentials for payment apps like Alipay and WeChat, while scanning for bank- or wallet-related text and package names.

Attribution and infrastructure

ThreatFabric found Chinese-language debug strings and a desktop-style command-and-control (C2) application in Chinese, suggesting a Chinese-speaking operator; a compiled C2 client has since appeared on public malware repositories. Researchers linked malicious app package names such as Senior Group, Lively Years, ActiveSenior and DanceWave to the campaign and warned the toolkit may now be circulating among criminal groups.

Context and prevention

Security firms say Datzbro underscores a worrying trend of fraudsters exploiting social trust and AI-created content to lure vulnerable people. Experts urge seniors and caregivers to avoid installing apps from social links, enable platform protections against sideloading, and verify event organizers through trusted channels. Organizations should watch for exposed credentials and unusual C2 activity, and victims must report suspicious messages to platforms and banks. Coordinated takedowns, industry alerts and community education can help reduce harm from similar schemes worldwide if unchecked.