ThreatFabric first linked Datzbro to social engineering in August 2025, after reports emerged that Facebook groups in Australia were advertising "trips for seniors" that were actually channels for recruiting victims. Similar scams have been detected in Singapore, Malaysia, Canada, South Africa, and the United Kingdom.
Attackers create Facebook groups with AI-generated posts that promote local travel for elderly users.
When someone shows interest, the conversation moves to Messenger or WhatsApp, where scammers send a link to download an app for signing up for trips and social gatherings. Instead, users end up downloading an APK file with malicious code, reports the website Informacija.rs.
In some cases, the Zombinder service is used to help the malware bypass protections introduced in Android 13 and later versions. There are also indications that cybercriminals are developing iOS TestFlight lures, suggesting ambitions to expand across multiple platforms.
Datzbro is distributed through apps with harmless-sounding names such as "Senior Group" and "Lively Years", as well as apps that imitate popular Chinese applications.
How Does the Malware Work?
Once installed, the malware requests a wide range of permissions and abuses Accessibility Services to record keystrokes, PINs, and codes, capture audio and photos, collect files and cookies, display transparent overlay screens to hide its activity, and perform transactions without the victim’s knowledge.
Its special feature is the so-called "schematic remote control" – a system that records the screen layout, element positions, and their contents and sends this data to operators. This allows attackers to “recreate” the device interface and remotely control it as if they were looking over the user’s shoulder.
Datzbro specifically searches for banking and digital wallet apps. It analyzes logs and text entries to detect PINs, passwords, and one-time codes. It can also steal the device unlock PIN and compromise Chinese payment apps such as Alipay and WeChat.
Researchers have found evidence suggesting that a Chinese-speaking group is behind the malware.
Datzbro appears at a time when mobile banking malware is seeing a strong surge. Cybercriminals increasingly use social engineering to make victims install malware themselves.
The emergence of Datzbro highlights the need for greater user education (especially among seniors), stricter control of app distribution, stronger protections around Accessibility Services permissions, and avoiding the installation of apps outside official stores – reports B92.
