Datzbro is an Android malware family described by ThreatFabric as a banking trojan with spyware capabilities that supports device takeover (DTO) attacks and fraudulent transactions. It has been observed in scam campaigns that prey on elderly users, including Facebook groups advertising social activities for seniors. In the reported activity, victims were lured with convincing, sometimes AI-generated posts, moved to Messenger or WhatsApp, and then directed to fake registration sites that prompted installation of a supposed “community app.” Datzbro was delivered either directly or via the Zombinder Android dropper.
The malware is reported to combine spyware and banking-trojan functionality. Documented capabilities include remote access, keylogging, phishing, audio recording, camera access, file theft, and theft of banking and cryptocurrency credentials. ThreatFabric also reported that Datzbro can capture passwords for Alipay and WeChat, as well as device PIN codes. Its DTO and interaction techniques abuse Android Accessibility services, a technique also noted in other Android banking malware.
ThreatFabric warned that Datzbro poses a broader global risk because its builder and command-and-control software leaked online, making it available to other criminals. The campaign was first noticed in Australia and later observed in Singapore, Malaysia, Canada, South Africa, and the U.K. Researchers noted Chinese-language strings in the malware code and command-and-control interface, suggesting possible China-based development, but the campaign was not attributed to a specific threat group. Earlier activity reportedly targeted Chinese-speaking users, leading researchers to suggest it may have initially been used domestically before spreading more widely.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as an Android banking malware family that similarly abuses Android Accessibility services for banking fraud/credential theft techniques.
Previously undocumented Android banking trojan that performs device takeover (DTO) and fraudulent transactions, reportedly using AI-generated Facebook travel event lures targeting elderly users.
Android malware distributed via Facebook group scams targeting seniors. It blends spyware (audio recording, camera access, file theft) with banking-trojan/RAT capabilities (remote access, keylogging, phishing) to steal banking and cryptocurrency credentials and device PINs.
Android banking trojan capable of device takeover (DTO) and fraudulent transactions, reportedly targeting elderly victims.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.