Datzbro is an Android banking trojan first identified in August 2025 by ThreatFabric, targeting elderly users through social engineering campaigns on Facebook. The attackers create AI-generated Facebook groups promoting fake travel and social events for seniors, exploiting their trust and desire for community engagement. Victims are contacted via Facebook Messenger or WhatsApp and persuaded to download malicious APKs from fraudulent websites masquerading as community apps. These apps either directly deploy the trojan or use a dropper built with APK binding services like Zombinder to evade Android 13+ security restrictions. Datzbro leverages Android accessibility services to perform device takeover (DTO) attacks, enabling remote control of the device, overlay attacks to hide malicious activity, keylogging, and credential theft. It captures sensitive information such as lock screen PINs and passwords for financial apps including Alipay and WeChat, and monitors accessibility event logs for banking and cryptocurrency wallet apps. The malware’s remote control mode sends detailed UI element data to operators, allowing them to replicate the device screen and interact with it remotely. The trojan is linked to a Chinese-language desktop command-and-control backend, distinct from typical web-based C2 panels, indicating a Chinese-speaking threat actor. The malware is distributed through multiple fake Android apps with names appealing to seniors. There is also evidence of attempts to target iOS users via TestFlight apps. While no known exploits are reported in the wild beyond these campaigns, the malware’s capabilities pose a high risk of financial fraud and identity theft. The campaign’s focus on elderly victims and use of AI-generated content for social engineering mark an evolution in mobile threat tactics. The malware’s presence in countries including Australia, Singapore, Malaysia, Canada, South Africa, and the U.K. suggests a broad geographic scope. The campaign’s sophistication and targeted approach highlight the need for specialized detection and prevention strategies.

For European organizations, particularly those providing services to elderly populations or managing mobile banking platforms, Datzbro represents a significant threat. The trojan’s ability to perform device takeover and financial fraud can lead to direct monetary losses for victims and reputational damage for financial institutions. Elderly users are especially vulnerable due to targeted social engineering tactics exploiting their trust and social needs. Healthcare providers, senior care organizations, and community groups facilitating social activities for seniors may inadvertently become vectors for infection. The malware’s use of accessibility services and overlay attacks complicates detection and remediation, potentially allowing prolonged unauthorized access. Financial institutions could face increased fraud claims and regulatory scrutiny if customers are compromised. Additionally, the trojan’s capability to steal credentials and PINs threatens confidentiality and integrity of sensitive financial data. The campaign’s expansion to iOS platforms could further increase the attack surface. European cybersecurity teams must prepare for potential incidents involving this malware, especially as it leverages social media platforms popular in Europe. The threat also underscores the importance of protecting vulnerable user groups from sophisticated social engineering and mobile malware attacks.

European organizations should implement targeted awareness campaigns aimed at elderly users, educating them about the risks of downloading apps from unofficial sources and interacting with unsolicited social media invitations. Financial institutions should enhance monitoring for anomalous transactions and implement multi-factor authentication (MFA) that resists interception by malware. Mobile device management (MDM) solutions can enforce policies restricting APK sideloading and limit accessibility service permissions to trusted apps only. Security teams should deploy behavioral detection tools capable of identifying overlay attacks and suspicious accessibility service usage. Collaboration with social media platforms to identify and dismantle fraudulent groups promoting such scams is critical. Incident response plans should include procedures for rapid containment and remediation of infected devices, including remote wiping and credential resets. Regular threat intelligence sharing within European cybersecurity communities can facilitate early detection of emerging variants. Finally, encouraging users to keep devices updated and use Google Play Protect or equivalent security services can reduce infection likelihood.