Attackers created fake Facebook groups targeting active seniors to distribute Android malware posing as event registration apps, sometimes asking for sign-up fees to phish card details. The primary malware observed was the Datzbro trojan (and occasionally the Zombinder dropper), delivered via links or messages and capable of audio/video recording, overlay phishing, and remote device control. #Datzbro #Zombinder
Keypoints
- Attackers set up fake Facebook groups promoting travel and community activities to lure seniors into downloading malicious Android apps.
- AI-generated content and realistic group posts were used to increase credibility and encourage downloads and payments.
- Malicious apps observed include Senior Group, Lively Years, ActiveSenior, and DanceWave, distributed from servers such as download.seniorgroupapps[.]com.
- The primary payload was the Datzbro trojan, with Zombinder used as a dropper in some instances to bypass Android 13+ restrictions.
- Datzbro combines spyware and banking-trojan features: audio/video recording, file access, phishing overlays, and remote device control.
- Researchers suspect the code originated in China and was later leaked and reused by multiple cybercriminal groups, affecting victims worldwide.
- Recommendations include scrutinizing group history/posts, avoiding unknown links/apps, using up-to-date mobile anti-malware, and watching for red flags in group descriptions.
MITRE Techniques
- [T1436] Use of Mobile App Delivery – Attackers distributed malicious Android apps via links shared in Facebook groups and messages (“…invited to download an Android app to ‘register’ for those offered activities…”).
- [T1204] User Execution – Malicious content relied on social engineering to trick users into installing apps (“…lure targets into joining fake Facebook groups… invited to download an Android app…”).
- [T1056] Input Capture – Audio and video recording functionality was used to capture sensitive input and surroundings (“Record audio and video, and access files and photos.”).
- [T1412] Banking Malware – Datzbro exhibited banking-trojan behavior to steal credentials and drain accounts (“…specifically designed to drain bank accounts. …Display phishing overlays that mimic other apps to steal passwords…”).
- [T1606] Obfuscated Files or Information – Use of AI-generated content and obfuscated package names to appear legitimate and evade detection (“…stocked with AI-generated content to appear authentic… package names: twzlibwr.rlrkvsdw.bcfwgozi, orgLivelyYears.browses646…”).
- [T1086] Remote Services – Remote control capabilities allowed attackers to lock/unlock and control infected devices (“Let attackers remotely control infected Android devices, including locking or unlocking the screen.”).
Indicators of Compromise
- [Malicious domains] Download host – download.seniorgroupapps[.]com
- [App names] Malicious app names used as lures – Senior Group, Lively Years
- [App package names] Android package identifiers observed – twzlibwr.rlrkvsdw.bcfwgozi, orgLivelyYears.browses646 (and 2 more package names)
- [App names] Additional observed app names – ActiveSenior, DanceWave