In threat intelligence shared in August 2025, Dutch mobile security company ThreatFabric reported the discovery of a new Android banking trojan called Datzbro. This trojan is an existential threat to older Americans. This previously undocumented malware allows threat actors to control devices and carry out unauthorized transactions. It directly serves these older adults, especially those seeking social engagement opportunities and short bus trips.
Datzbro uses persuasive social engineering controls, such as leveraging Facebook groups focused on selling “active senior trips” to snag their next mark. Attackers often begin by phoning their targets through services such as Facebook Messenger or WhatsApp. Then they coerce these victims to install an APK file using phony links. As this especially insidious trojan horse continues to roll out, it represents an obvious and increasing danger to our society’s most vulnerable demographic cohorts.
Capabilities of Datzbro
Datzbro is more than widespread malware. Datzbro is a dangerous adversary. Of all its capabilities, one seems to be particularly dangerous. The trojan is capable of recording audio, taking photos, accessing files, and performing financial fraud via remote control. Its tactics, such as overlay attacks and keylogging, even increase this malware’s potential to steal sensitive information.
ThreatFabric noted that, “Such a filter clearly shows the focus of the developers behind Datzbro, not only using its Spyware capabilities, but turning it into a financial threat.” The malware’s capability to acquire login credentials for mobile banking applications through keylogging perfectly illustrates its potential for financial exploitation.
Datzbro employs a cutting edge APK binding service called Zombinder. This service generally works around security limits in Android 13 and up. This helps the trojan avoid detection by most security measures that are usually deployed on devices.
Targeting the Elderly
The campaign’s targeted appeal to older adults who want a social connection to be the most insidious. By exploiting their need for socialization and engagement, attackers set the stage for real-world exploitation to occur. Fraudulent sites connected to Datzbro entice users to download a fake community app. Attackers misleadingly assert that this app will streamline event registration and help connect members.
“The fake websites prompted visitors to install a so-called community application, claiming it would allow them to register for events, connect with members, and track scheduled activities,” said ThreatFabric. This misleading tactic is what allows the trojan to thrive. In addition to being ineffective, it provides victims with a misleading sense of safety.
Specialists have previously detected the trojan in at least three countries. This includes Australia, Singapore, Malaysia, Canada, South Africa and the U.K., showing its shocking adaptability and international reach.
Defense Mechanisms
Luckily for Android users, they are not completely powerless against Datzbro. In fact, Google Play Protect turns on by default whenever a device is shipped with Google Play Services. It’s not just misleading marketing jargon—it protects strongly against all previously identified malware variants. This built-in feature goes a long way to protect users, as Datzbro attempts to do harm, but users need to be proactive.
To make things even more complicated, the attacker’s infrastructure features a command-and-control (C2) backend tied to a Chinese-language desktop application. As the threat continues to develop, threats from attackers may be seeking to expand their impact to iOS users, too. The bogus sites have phony app store links that say they will download an iOS app. This means that Datzbro’s developers are getting ready to share TestFlight apps for iOS devices.
Ruby Cohen described a concerning aspect of Datzbro: “PhantomCall enables attackers to initiate fraudulent activity by silently sending USSD codes to redirect calls, while abusing Android’s CallScreeningService to block legitimate incoming calls, effectively isolating victims and enabling impersonation.”