Cyber security researchers have already flagged off Android Banking Trojan. Datzbro This device can conduct the takeover (DTO) attacks and perform fraud transactions by hunting on the elderly.
Dutch Mobile Security Company Thretfabric said it discovered the campaign in August 2025, when users in Australia reported scammers that manage Facebook groups promoting “active senior visits”. Some other areas targeted by danger actors include Singapore, Malaysia, Canada, South Africa and UK
The campaign focuses on elderly people in search of the couple, especially social activities, trips, in-travelers and similar events. These Facebook groups have been found to share Artificial Intelligence (AI) -Generated materials, claiming to organize various activities for seniors.
The future goals should express their desire to participate in these events, they are later approached through Facebook Messenger or WhatsApp, where they are asked to download an APK file from an fraud link (eg, “download.[.]com “).
“Fake websites inspired visitors to install a so -called community application, claiming that it would allow them to register for events, connect with members, and track scheduled activities,” a report shared with hacker news.
Interestingly, websites have also been included in the placeholder link to download an iOS application, showing that the attackers want to target both mobile operating systems, distribute testflight apps for iOS and trick victims.
Does the victim click on the button to download the Android application, it either leads to a direct deployment of malware on their equipment, or a dropper designed using the APK binding service, which is dubbed to bypass Android 13 and later to bypass security restrictions.
Some Android apps that have been found to be distributed datzbro are listed below –
- Senior Group (Twzlibwr.Rlrkvsdw.bcfwgozi)
- Vive
- Activesenior (com.forest481.Security)
- Dancewave (indpnok.kfxuvnie.mggfqzhl)
- 作业帮 (io.mobile.itool)
- 麻豆传媒 (fsxhibqhbh.hlyzqkd.aois
- 麻豆传媒 (Mobi.audio.Aassstant)
- 谷歌浏览器 (tvmhnrvsp.zltixkpp.mdok)
- MT 管理器 (varuhphk.vadneozj.tldo)
- MT 管理器 (spvojpr.bkkhxobj.twfwf)
- 大麦 (mnamrdrefa.edldylo.zish)
- MT 管理器 (io.red.studio.Tracker)
Malware, like other Android banking trozons, have many types of capabilities to record audio, capture photos, capture files and photos and to conduct financial fraud through remote control, overlay attacks and kelogging. It also depends on the access services of Android to take remote action from the victim.
A remarkable feature of Datzbro is a planned remote control mode, which allows the malware to send information about all the elements displayed on the screen, their position and material, so that operators can allow the operators to re -create the layout at the end and effectively command the device.
Banking Trojan can also serve as a semi-transparent black overlay with custom text to hide malicious activity from the victim, as well as steal the device lock screen pin and password associated with Alipay and WeChat. In addition, it scans the accessibility event log for package names related to banks or cryptocurrency wallets, and for a text containing passwords, pins or other codes.
“Such a filter clearly focuses on the developers behind the Datzbro, not only using its spyware capabilities, but also to convert it into financial threat,” Walryfabric said. “With the help of keylogging capabilities, Datzbro can successfully capture login credentials for mobile banking applications recorded by victims.”
It is believed that datzbro is a Chinese speaking danger group work, with the presence of Chinese debug and logging string in the malware source code. Malivedy apps have been found to be associated with a command-end-control (C2) backnd which is a Chinese-language desktop application, separating from other malware families that rely on web-based C2 panels.
Wallyfabric said that a compiled version of the C2 app has leaked into a public virus stock, suggesting that the malware may be leaked and is being distributed independently among the cyber criminals.
The company said, “Detzbro’s discovery highlights the development of mobile threats targeting unheard users through social engineering campaigns,” the company said. “By focusing on seniors, the fraudsters exploited the trust and community-oriented activities to woo the victims in installing malware to the victims. It seems on Facebook that what starts as a harmless event promotion can lead to device takeover, credit theft and financial fraud.”
This disclosure comes in the form of IBM X-Fores, with an antidot Android banking malware campaign, which targets users of major financial institutions globally, which are spread in Spain, Italy, France, US, Canada, UAE, UAE, UAE, UAE, UAE, and UAE, and UAE, which can be used in India, which can use Android 13 controls in India. That can prevent expledged apps.
According to an analysis published by Prodaft in June 2025, Antidot has been held responsible for an economically motivated actor called Larva-398 and is available to others under a Malware-e-Sarvis (MAAS) model on underground forums.
Callscreeningwis is designed to use API to monitor the upcoming calls to the latest campaign and allow them to be selected based on the dynamic list of phone numbers stored in shared preferences of the phone, effectively allows the attackers to explore unauthorized access, full fake transactions, or delays.
Security researcher Ruby Cohen said, “Fantomacol also enables the attackers to initiate fraud activity by sending USSD codes to the attackers to redirect the USSD code, while to block the callscreening of Android, to block the callscreeningwis of Android, block the calls to be valid, to block the calls, and to effectively separate the victims and to compete Said.
“These abilities play an important role in orchestrating high-effects of financial fraud to enable the victims from actual communication channels and to enable the attackers to work on their behalf.”
