Researchers have uncovered a scam campaign that uses Facebook groups promoting social activities for seniors to trick victims into installing Android malware on their devices.
The scheme first surfaced in Australia in August, when users reported suspicious groups advertising dance events, day trips and community gatherings for older people. Researchers at Dutch cybersecurity firm ThreatFabric later identified dozens of similar groups across Facebook, many relying on AI-generated content to lure victims into downloading malicious apps.
Since then, such operations have been spotted in Singapore, Malaysia, Canada, South Africa and the U.K. In a report on Tuesday, ThreatFabric warned that the malware at the center of the campaign — dubbed Datzbro — poses a global risk after its builder and command-and-control software leaked online, making it freely available to criminals worldwide.
“By focusing on seniors, fraudsters exploit trust and community-oriented activities to lure victims into installing malware,” the report said. “What begins as seemingly harmless event promotion on Facebook can escalate into device takeover, credential theft, and financial fraud.”
Although the groups were largely filled with AI-generated posts, the content appeared convincing enough to draw hundreds of responses. Once victims showed interest, fraudsters moved conversations to Messenger or WhatsApp, where they shared links to fake registration websites.
These sites encouraged users to download a “community app” to sign up and track activities. In reality, clicking the “Google Play” button triggered the installation of Datzbro — either directly or via a known Android dropper called Zombinder, which can bypass security protections on newer devices.
ThreatFabric said Datzbro combines spyware capabilities such as audio recording, camera access and file theft with banking trojan features, including remote access, keylogging and phishing aimed at stealing banking and cryptocurrency credentials.
For example, the malware can capture passwords for services like Alipay, China’s largest mobile payments platform and WeChat, the country’s dominant messaging and social app, as well as device PIN codes.
Although the campaign has not been attributed to a specific group, the command-and-control interface and much of the malware’s code contained Chinese-language strings, suggesting its developers are based in China, according to the report. Researchers also noted earlier campaigns targeting Chinese-speaking users, indicating Datzbro may have been deployed domestically before spreading globally.
“With its spyware functionality, remote access tools, and growing focus on banking apps, Datzbro represents a significant step in the blending of spyware and banking trojan capabilities,” the researchers wrote.
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.
