Salvador Stealer

What is Salvador Stealer malware?

Salvador Stealer is a sophisticated Android banking malware that emerged in early 2025, designed to steal sensitive financial information through advanced social engineering and credential harvesting techniques. This mobile banking trojan masquerades as legitimate banking applications. It employs phishing infrastructure to capture critical user data including banking credentials, one-time passwords (OTPs), and personal identification information.

It is a multi-stage mobile stealer that operates through a dropper-payload architecture. Its primary components are a dropper APK that appears as a legitimate banking application, and a secondary payload (base.apk) containing the core malicious functionality. The malware uses sophisticated obfuscation techniques, including XOR encryption with the key "npmanager" to hide its malicious strings and communications.

Salvador bypasses traditional security measures by leveraging WebView technology to embed phishing pages directly within the application. This approach allows the malware to create a convincing user interface that mimics legitimate banking applications while maintaining direct communication with command and control servers. The persistence mechanisms include automatic restart capabilities and boot-time execution, ensuring continuous operation even after device reboots or manual termination attempts.

Salvador Stealer Victimology

The stealer primarily targets mobile banking users in India and other South Asian regions, as evidenced by its focus on collecting Aadhaar numbers and PAN card details (identification documents specific to the Indian financial system). The malware specifically targets users of popular Indian banking institutions by mimicking their mobile applications and branding.

Its broad spectrum of victims aggregates individuals, small businesses, and large enterprises. It focuses on users with access to valuable data, such as corporate credentials, financial accounts, or cryptocurrency wallets. Organizations in sectors like finance, healthcare, and technology are particularly vulnerable due to the high value of their data. Remote and hybrid work environments, especially those using Bring Your Own Device (BYOD) policies, are at higher risk because of relaxed security controls and increased attack surfaces.

What Salvador Stealer Can Do to User Device

Once installed on an endpoint device, Salvador Stealer can:

• Steal Credentials: Extracts usernames, passwords, and session cookies from browsers and applications.
• Harvest Financial Data: Targets credit card details, bank account information, and cryptocurrency wallet credentials.
• Capture Keystrokes: Uses keyloggers to record user inputs, including unsaved passwords.
• Hijack Clipboards: Replaces or steals data copied to the clipboard, such as account numbers or crypto addresses.
• Take Screenshots: Captures screen content to gather sensitive information displayed at critical moments.
• Exfiltrate Files: Collects local files, such as PDFs or documents containing personal or corporate data.

The malware significantly compromises device security by requesting and abusing critical Android permissions including SMS reception, SMS sending, and internet access. It creates fake notifications to maintain user engagement and establish a legitimate appearance. It also modifies system behavior by registering broadcast receivers that ensure automatic execution upon device startup and network changes.

How Salvador Stealer Threatens Businesses and Organizations

Salvador Stealer poses severe risks to businesses by enabling:

• Data Breaches: Stolen credentials can lead to unauthorized access to corporate networks, facilitating larger attacks like ransomware.
• Financial Loss: Theft of financial data or cryptocurrency can result in direct monetary losses.
• Lateral Movement: Compromised credentials allow attackers to move within networks, targeting critical systems or data repositories.
• Reputational Damage: Leaked customer or proprietary data can erode trust and lead to regulatory penalties.
• Ransomware Enablement: Stolen data is often sold to ransomware groups for extortion or further attacks.

How Does Salvador Stealer Function?

Salvador Stealer operates by infiltrating a system and running in the background to avoid detection. It employs a modular architecture, allowing attackers to customize its payload for specific targets. Upon execution, it scans for valuable data, such as browser-stored credentials, session tokens, and cryptocurrency wallets. The malware communicates with a command-and-control (C2) server to exfiltrate stolen data, often using encrypted channels to evade detection (including Telegram Bot API integration and traditional HTTP POST requests to attacker-controlled servers). Its lack of persistence mechanisms means it focuses on quick data theft, leaving minimal traces unless detected early.

The stealer spreads through common attack vectors, including phishing emails, malicious downloads, social engineering, and malwertising. Phishing pages are designed using WebView technology to closely mimic legitimate banking interfaces, complete with proper branding and user experience elements. The malware injects malicious JavaScript code that intercepts XMLHttpRequest operations, ensuring that all user inputs are captured and forwarded to the attackers.

Advanced SMS interception capabilities allow Salvador Stealer to capture one-time passwords and two-factor authentication codes in real-time. The malware implements dynamic SMS forwarding, where it contacts remote servers to retrieve current forwarding numbers, allowing attackers to modify their collection infrastructure without updating the malware. This flexibility makes the malware particularly dangerous as it can adapt to changing operational requirements.

Salvador Stealer Attack Chain Live

We can see how exactly the above-mentioned tactics, technologies, and approaches combine Salvador’s execution chain by watching its sample detonated in ANY.RUN’s Interactive Sandbox.

View sandbox analysis of Salvador Stealer

Salvador Stealer malware analysis in the Sandbox

The two key components art Dropper APK that installs and triggers the second-stage payload, and Base.apk, the actual payload responsible for data theft.

The dropper APK declares specific permissions and intent filters in its AndroidManifest.xml, including package installing.

Once executed, base.apk exhibits several key behaviors:

1. It establishes a connection to Telegram, which the attackers use as a Command and Control (C2) server to receive stolen data and manage the infection.
2. It triggers the signature “Starts itself from another location,” confirming that it was dropped and launched by the initial dropper APK rather than being installed directly.

After loading the phishing WebView it requests several Android permissions, including:

• RECEIVE_SMS
• SEND_SMS
• READ_SMS
• INTERNET

These permissions are essential for the malware’s goals: intercepting one-time passwords (OTPs) and forwarding them. Once the permissions are granted, the initiateForegroundServiceIfRequired() method is called, launching the Fitzgerald service.

This foreground service creates a fake notification (“Customer support”) and more importantly, it immediately registers a broadcast receiver to intercept incoming SMS. This is the real starting point of the OTP interception process. Every incoming message is captured and parsed by Earnestine. From the PDU, the malware extracts the message body, sender’s number, and timestamp.

Even if the user or system tries to terminate the app’s background service, the malware is programmed to automatically restart it. When the Fitzgerald service is killed or swiped away, it immediately schedules a recovery task using Android’s WorkManager.

If the device itself is rebooted, a separate class named Ellsworth waits for reboot completion and triggers the Fitzgerald service again.

The Salvador Stealer tricks users into entering their banking credentials through a fake banking interface phishing page embedded in the app. Once the user submits their credentials, the data is immediately sent to both the C2 server and a Telegram bot. The data lands on a phishing website controlled by the attacker.

Stolen data sent to phishing site

By enabling HTTPS MITM Proxy mode in ANY.RUN’s Android sandbox, we were able to intercept and verify the exfiltration of user data in real time.

Credential theft attempts captured in the HTTP request logs

ANY.RUN’s analysts researched Salvador Stealer in depth by decoding the malware files and performing technical analysis, and made a number of interesting discoveries.

Gathering Threat Intelligence on Salvador Stealer malware

Threat intelligence provides critical insights into Salvador Stealer’s tactics, techniques, and procedures (TTPs). By analyzing data, organizations can:

• Identify emerging Salvador Stealer campaigns and their delivery methods.
• Use indicators of compromise(IOCs) like C2 server IPs or malware signatures to improve detection.
• Update security policies based on intelligence about new variants or evasion techniques.

Use ANY.RUN’s Treat Intelligence Lookup to find more Salvador samples dissected in the Interactive Sandbox, watch their behavior in the network and on device, collect IOCs and IOBs.

threatName:"salvador"

Salvador Stealer public sandbox analyses found via TI Lookup

Security teams should integrate threat intelligence feeds that include mobile malware indicators, especially Android banking trojans and their associated infrastructure.

Collecting indicators and understanding the TTPs of Salvador Stealer operators enables better detection and prevention strategies. This intelligence should inform security awareness training programs and help organizations adapt their security controls to address specific threat actor behaviors.

Conclusion

Salvador Stealer represents a significant evolution in mobile banking malware with its sophisticated technical capabilities and clever social engineering. Its advanced persistence mechanisms, real-time data exfiltration capabilities, and multi-channel command and control infrastructure make it particularly dangerous to both individual users and organizations.

Continuous vigilance and adaptation are required to enhance security practices. Businesses must invest in mobile security technologies, threat intelligence capabilities, and user education programs to stay ahead of these evolving threats.

Gather actionable intelligence via ANY.RUN’s TI Lookup: start with 50 trial requests.