Datzbro Android Banking Trojan Targets Seniors With Device-Takeover Attacks  Researchers have uncovered a previously undocumented Android banking trojan, dubbed Datzbro, that is being used in device-takeover campaigns aimed squarely at older adults. ThreatFabric, a Dutch mobile security firm, first tied the activity to a social-engineering network in August 2025 after reports emerged of Facebook groups in Australia advertising “active senior trips” that were in fact recruitment channels for the scam. The operation has been observed in multiple countries, including Singapore, Malaysia, Canada, South Africa and the U.K., and relies on community-focused messaging to build trust before delivering malware.  The attackers create convincing Facebook groups and AI-generated posts promoting local events for seniors. When a target shows interest, operators move the conversation to Facebook Messenger or WhatsApp and push a link to download a so-called community app—usually an APK hosted on a fraudulent domain. Those sites promise event registration and networking features but deliver an installer that either installs Datzbro directly or drops a secondary loader built with an APK-binding service called Zombinder, which helps bypass protections introduced in Android 13 and later. Some evidence suggests the fraudsters are preparing iOS TestFlight lures as well, indicating cross-platform ambitions.  Analysts have cataloged multiple malicious app package names used to distribute the trojan, from innocuous-sounding “Senior Group” and “Lively Years” to variants masquerading as popular Chinese apps or tools. Once installed, Datzbro grants itself extensive permissions and weaponizes Android accessibility services to perform actions on behalf of the attacker. It can record audio, capture photos, harvest files, log keystrokes and overlay semi-transparent screens to hide malicious activity from victims. A distinctive feature is its “schematic remote control” mode, which reports screen layout, element positions and content back to operators so they can reconstruct interfaces remotely and direct the device as if they were looking over the victim’s shoulder.  The trojan also filters accessibility event logs for bank or wallet package names and scans for text resembling PINs, passwords or transaction codes. If it finds credentials in cookies or other storage, Datzbro exfiltrates them to the attackers’ back end; it can even steal lock-screen PINs and compromise popular Chinese payment apps such as Alipay and WeChat. ThreatFabric noted Chinese debug strings and a Chinese-language desktop command-and-control application tied to the campaign, suggesting the authors are Chinese-speaking. A compiled C2 client reportedly leaked to public malware repositories, which may accelerate wider abuse by other criminals.  Datzbro’s discovery comes amid broader mobile-banking malware activity. IBM X-Force has described a related AntiDot campaign called PhantomCall that similarly abuses Android features and sideloaded droppers to bypass modern OS protections, while PRODAFT has documented MaaS-style offerings for actors aiming at global banks. Together, these trends reflect a sustained move toward targeted social engineering that exploits community trust to coax vulnerable users into installing powerful remote-control malware.  The rapid evolution of these threats underscores the need for heightened public awareness—especially among seniors—tighter app-distribution controls, and stronger defenses around accessibility permissions and sideloaded software.

Datzbro Android Banking Trojan Targets Seniors With Device-Takeover Attacks #Android #AndroidBankingTrojan #AndroidTrojans

Anatsa Android Banking Trojan Hits 90000 Users with Fake PDF App on Google Play distributing itself read more about Anatsa Android Banking Trojan Hits 90000 Users with Fake PDF App on Google Play

Anatsa Android Banking Trojan Hits 90,000 Users with Fake PDF App on Google Play reconbee.com/anatsa-andro...

#Anatsa #androidbankingtrojan #bankingtrojan #PDF #googleplay #google #banking #trojan

New Android Banking Trojan 'Crocodilus' Emerges as Sophisticated Threat in Spain and Turkey  A newly identified Android banking malware named Crocodilus is making waves in the cybersecurity world, with experts warning about its advanced capabilities and targeted attacks in Spain and Turkey. Discovered by Dutch mobile security firm ThreatFabric, the malware represents a major leap in sophistication, emerging not as a prototype but as a fully-developed threat capable of device takeover, remote control, and stealth data harvesting through accessibility services.  Unlike many early-stage banking trojans, Crocodilus comes armed with a broad range of functionalities from its inception. Masquerading as Google Chrome via a misleading package name ("quizzical.washbowl.calamity"), the malware bypasses Android 13+ restrictions and initiates its attack by requesting accessibility permissions. Once granted, it connects to a command-and-control (C2) server to receive a list of targeted financial applications and corresponding HTML overlays to steal login credentials.  The malware also targets cryptocurrency users with a unique social engineering strategy. Instead of spoofing wallet login pages, it pushes alarming messages urging users to back up their seed phrases within 12 hours or risk losing access. This manipulative tactic prompts victims to expose their seed phrases, which are then harvested via accessibility logging—giving attackers full access to the wallets.  Crocodilus operates continuously in the background, monitoring app launches, capturing screen elements, and even intercepting one-time passwords from apps like Google Authenticator. It conceals its malicious activity by muting sounds and deploying a black screen overlay to keep users unaware. Key features include launching apps, removing itself from devices, sending SMS messages, retrieving contacts, requesting device admin rights, enabling keylogging, and modifying SMS management privileges. The malware’s ability to dynamically update C2 server settings further enhances its adaptability.  ThreatFabric notes that the malware’s sophistication, especially in its initial version, suggests a seasoned developer behind its creation—likely Turkish-speaking, based on code analysis. The emergence of Crocodilus underscores the evolving threat landscape of mobile banking malware, where adversaries are deploying complex and evasive techniques earlier in development cycles. In a related development, Forcepoint reported a separate phishing campaign using tax-themed emails to spread the Grandoreiro banking trojan in Latin America and Spain, indicating a broader uptick in banking malware activity across platforms and regions.

New Android Banking Trojan 'Crocodilus' Emerges as Sophisticated Threat in Spain and Turkey #AndroidBankingTrojan #malware #MalwareAttack

Android Banking Trojan tấn công ngân hàng: Một tin nhắn, một thảm họa – giá 50,000 VND #AndroidBankingTrojan #ĐánhCắpMậtKhẩu #TàiKhoảnNgânHàng #TinNhắnVănBản Android Banking Trojan đánh cắp mật khẩu này để tiếp quản tài khoản của bạn - và tất cả chỉ là một tin nhắn văn bản duy nhất Với bao nhiêu thông tin cá nhân và tài chính nhạy cảm được lưu trữ trên các điện thoại Android tốt nhất, không có gì lạ khi tin tặc tiếp tục nhắm mục tiêu vào chúng trong các cuộc tấn công của họ.

Android Banking Trojan tấn công ngân hàng: Một tin nhắn, một thảm họa – giá 50,000 VND #AndroidBankingTrojan #ĐánhCắpMậtKhẩu #TàiKhoảnNgânHàng #TinNhắnVănBản

Android Banking Trojan đánh cắp mật khẩu này để tiếp quản tài khoản của bạn - và tất cả chỉ là một tin nhắn văn bản duy nhất Với bao nhiêu…