Cybersecurity
On Thu, Aug 1, 2025, Australian authorities issued scam alerts following reports of suspicious Facebook groups promoting “active senior trips.” These groups were found to be part of a mobile malware operation.
ThreatFabric researchers discovered these groups were managed by fraudsters who tricked seniors into downloading a malicious Android Trojan called “Datzbro.”
Operation and Impact
The campaign targeted seniors interested in community activities. Fraudsters created Facebook groups with AI-generated posts advertising events and trips. Users were then directed to join private messaging channels.
Reports indicate that similar groups appeared in Singapore, Malaysia, Canada, South Africa, and the United Kingdom.
Once users showed interest, scammers contacted them via Facebook Messenger or WhatsApp, providing links to download a “community application” for event registration. In some cases, victims were asked to pay a sign-up fee, leading to payment-card theft through phishing sites. Android users were served a malicious APK.
Datzbro Trojan
The downloaded APK was identified as a Device-Takeover Trojan named “Datzbro.” It combines traditional spyware features with advanced remote-control abilities.
- Remote screen sharing and control
- Semi-transparent overlay to conceal actions
- Device locking and unlocking
- Schematic remote control for precise interaction even with poor video quality
Datzbro uses Android’s Accessibility Services for automated gestures and actions. It can target banking and crypto apps by displaying fake credential-entry screens and capturing authentication data.
Banking and Crypto Targeting
Datzbro monitors Accessibility events for specific package names and event text to initiate attacks. It displays fake screens for credential capture and intercepts device authentication methods.
Further investigation revealed a leaked Command-and-Control desktop application for Datzbro. The malware originates from Chinese-speaking cybercriminal communities.
Mitigations
Combining AI-generated content and sophisticated malware features, this campaign poses a financial threat to seniors. Raising awareness among seniors and community organizations is crucial.
Financial institutions should warn users against downloading unverified apps from social media. Enhanced scrutiny of Accessibility Service permissions and reporting suspicious online groups can help mitigate risks.
Indicators of Compromise
| SHA-256 | Package name | Application name |
|---|---|---|
| a57d70b2873d9a3672eda76733c5b2fb96dca502958064fab742cfc074bf0feb | twzlibwr.rlrkvsdw.bcfwgozi | Senior Group |
| 453b0a62e414e9b40185c63842546fc96e8e1ab3f77d3230b02988dd8834c555 | orgLivelyYears.browses646 | Lively Years |
| ed2313bfebe03ff29a7c802ddd471583cc8da76bf5cb9f418ae7d999d6a0b9fb | com.forest481.security | ActiveSenior |
| fac119c569ba7dd19df9154f22f928cf3f0b0165bbe7d6b11a77215bdfc2a11a | inedpnok.kfxuvnie.mggfqzhl | DanceWave |
