Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Salvador Stealer

salvador
152
Global rank
152 infographic chevron month
Month rank
151 infographic chevron week
Week rank
0
IOCs

Salvador Stealer is a powerful, information-stealing Android malware designed to silently infiltrate systems, extract sensitive data, and exfiltrate it to cybercriminals. Often sold on underground forums, it is part of the growing ecosystem of “stealers-as-a-service” (SaaS) tools that target individuals and organizations alike.

Stealer
Type
Unknown
Origin
1 February, 2025
First seen
18 May, 2025
Last seen

How to analyze Salvador Stealer with ANY.RUN

Stealer
Type
Unknown
Origin
1 February, 2025
First seen
18 May, 2025
Last seen

IOCs

Last Seen at
4 May, 2025
Malicious activity
450a46974d091fd125de6b1770c3fdfca3e5a912d10cd056578c16a26f77d39f.apk
salvador
banker
stealer
telegram
4 May, 2025
Malicious activity
a020c8b91c6d5cb46e527cea7d094bf66ec2fb0725dc7bd66e368b2e323dd8f6.apk
salvador
banker
stealer
2 April, 2025
Malicious activity
INDUSLND_BANK_E_KYC.apk
salvador
banker
stealer
1 April, 2025
Malicious activity
INDUSLND_BANK_E_KYC.apk
salvador
banker
stealer
telegram
1 April, 2025
Malicious activity
INDUSLND_BANK_E_KYC.apk
salvador
banker
stealer
telegram
TRACK THEM ALL AT
Public Submissions
Last Seen at
4 May, 2025
Malicious activity
450a46974d091fd125de6b1770c3fdfca3e5a912d10cd056578c16a26f77d39f.apk
salvador
banker
stealer
telegram
4 May, 2025
Malicious activity
a020c8b91c6d5cb46e527cea7d094bf66ec2fb0725dc7bd66e368b2e323dd8f6.apk
salvador
banker
stealer
2 April, 2025
Malicious activity
INDUSLND_BANK_E_KYC.apk
salvador
banker
stealer
1 April, 2025
Malicious activity
INDUSLND_BANK_E_KYC.apk
salvador
banker
stealer
telegram
1 April, 2025
Malicious activity
INDUSLND_BANK_E_KYC.apk
salvador
banker
stealer
telegram
TRACK THEM ALL AT
Public Submissions

Recent blog posts

post image
How MSSPs Detect Incidents Early with Threat...
watchers 348
comments 0
post image
Free. Powerful. Actionable. Make Smarter Secu...
watchers 2625
comments 0
post image
Enterprise Plan: Boost SOC Performance, Reduc...
watchers 2744
comments 0

Contents

  • What is Salvador Stealer malware?
  • Salvador Stealer Victimology
  • What Salvador Stealer Can Do to User Device
  • How Salvador Stealer Threatens Businesses and Organizations
  • How Does Salvador Stealer Function?
  • Salvador Stealer Attack Chain Live
  • Gathering Threat Intelligence on Salvador Stealer malware
  • Conclusion

Recent blog posts

post image
How MSSPs Detect Incidents Early with Threat...
watchers 348
comments 0
post image
Free. Powerful. Actionable. Make Smarter Secu...
watchers 2625
comments 0
post image
Enterprise Plan: Boost SOC Performance, Reduc...
watchers 2744
comments 0

What is Salvador Stealer malware?

Salvador Stealer is a sophisticated Android banking malware that emerged in early 2025, designed to steal sensitive financial information through advanced social engineering and credential harvesting techniques. This mobile banking trojan masquerades as legitimate banking applications. It employs phishing infrastructure to capture critical user data including banking credentials, one-time passwords (OTPs), and personal identification information.

It is a multi-stage mobile stealer that operates through a dropper-payload architecture. Its primary components are a dropper APK that appears as a legitimate banking application, and a secondary payload (base.apk) containing the core malicious functionality. The malware uses sophisticated obfuscation techniques, including XOR encryption with the key "npmanager" to hide its malicious strings and communications.

Salvador bypasses traditional security measures by leveraging WebView technology to embed phishing pages directly within the application. This approach allows the malware to create a convincing user interface that mimics legitimate banking applications while maintaining direct communication with command and control servers. The persistence mechanisms include automatic restart capabilities and boot-time execution, ensuring continuous operation even after device reboots or manual termination attempts.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Salvador Stealer Victimology

The stealer primarily targets mobile banking users in India and other South Asian regions, as evidenced by its focus on collecting Aadhaar numbers and PAN card details (identification documents specific to the Indian financial system). The malware specifically targets users of popular Indian banking institutions by mimicking their mobile applications and branding.

Its broad spectrum of victims aggregates individuals, small businesses, and large enterprises. It focuses on users with access to valuable data, such as corporate credentials, financial accounts, or cryptocurrency wallets. Organizations in sectors like finance, healthcare, and technology are particularly vulnerable due to the high value of their data. Remote and hybrid work environments, especially those using Bring Your Own Device (BYOD) policies, are at higher risk because of relaxed security controls and increased attack surfaces.

What Salvador Stealer Can Do to User Device

Once installed on an endpoint device, Salvador Stealer can:

  • Steal Credentials: Extracts usernames, passwords, and session cookies from browsers and applications.
  • Harvest Financial Data: Targets credit card details, bank account information, and cryptocurrency wallet credentials.
  • Capture Keystrokes: Uses keyloggers to record user inputs, including unsaved passwords.
  • Hijack Clipboards: Replaces or steals data copied to the clipboard, such as account numbers or crypto addresses.
  • Take Screenshots: Captures screen content to gather sensitive information displayed at critical moments.
  • Exfiltrate Files: Collects local files, such as PDFs or documents containing personal or corporate data.

The malware significantly compromises device security by requesting and abusing critical Android permissions including SMS reception, SMS sending, and internet access. It creates fake notifications to maintain user engagement and establish a legitimate appearance. It also modifies system behavior by registering broadcast receivers that ensure automatic execution upon device startup and network changes.

How Salvador Stealer Threatens Businesses and Organizations

Salvador Stealer poses severe risks to businesses by enabling:

  • Data Breaches: Stolen credentials can lead to unauthorized access to corporate networks, facilitating larger attacks like ransomware.
  • Financial Loss: Theft of financial data or cryptocurrency can result in direct monetary losses.
  • Lateral Movement: Compromised credentials allow attackers to move within networks, targeting critical systems or data repositories.
  • Reputational Damage: Leaked customer or proprietary data can erode trust and lead to regulatory penalties.
  • Ransomware Enablement: Stolen data is often sold to ransomware groups for extortion or further attacks.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

How Does Salvador Stealer Function?

Salvador Stealer operates by infiltrating a system and running in the background to avoid detection. It employs a modular architecture, allowing attackers to customize its payload for specific targets. Upon execution, it scans for valuable data, such as browser-stored credentials, session tokens, and cryptocurrency wallets. The malware communicates with a command-and-control (C2) server to exfiltrate stolen data, often using encrypted channels to evade detection (including Telegram Bot API integration and traditional HTTP POST requests to attacker-controlled servers). Its lack of persistence mechanisms means it focuses on quick data theft, leaving minimal traces unless detected early.

The stealer spreads through common attack vectors, including phishing emails, malicious downloads, social engineering, and malwertising. Phishing pages are designed using WebView technology to closely mimic legitimate banking interfaces, complete with proper branding and user experience elements. The malware injects malicious JavaScript code that intercepts XMLHttpRequest operations, ensuring that all user inputs are captured and forwarded to the attackers.

Advanced SMS interception capabilities allow Salvador Stealer to capture one-time passwords and two-factor authentication codes in real-time. The malware implements dynamic SMS forwarding, where it contacts remote servers to retrieve current forwarding numbers, allowing attackers to modify their collection infrastructure without updating the malware. This flexibility makes the malware particularly dangerous as it can adapt to changing operational requirements.

Salvador Stealer Attack Chain Live

We can see how exactly the above-mentioned tactics, technologies, and approaches combine Salvador’s execution chain by watching its sample detonated in ANY.RUN’s Interactive Sandbox.

View sandbox analysis of Salvador Stealer

Salvador Stealer malware analysis in the Sandbox Salvador Stealer malware analysis in the Sandbox

The two key components art Dropper APK that installs and triggers the second-stage payload, and Base.apk, the actual payload responsible for data theft.

The dropper APK declares specific permissions and intent filters in its AndroidManifest.xml, including package installing.

Once executed, base.apk exhibits several key behaviors:

  1. It establishes a connection to Telegram, which the attackers use as a Command and Control (C2) server to receive stolen data and manage the infection.
  2. It triggers the signature “Starts itself from another location,” confirming that it was dropped and launched by the initial dropper APK rather than being installed directly.

After loading the phishing WebView it requests several Android permissions, including:

  • RECEIVE_SMS
  • SEND_SMS
  • READ_SMS
  • INTERNET

These permissions are essential for the malware’s goals: intercepting one-time passwords (OTPs) and forwarding them. Once the permissions are granted, the initiateForegroundServiceIfRequired() method is called, launching the Fitzgerald service.

This foreground service creates a fake notification (“Customer support”) and more importantly, it immediately registers a broadcast receiver to intercept incoming SMS. This is the real starting point of the OTP interception process. Every incoming message is captured and parsed by Earnestine. From the PDU, the malware extracts the message body, sender’s number, and timestamp.

Even if the user or system tries to terminate the app’s background service, the malware is programmed to automatically restart it. When the Fitzgerald service is killed or swiped away, it immediately schedules a recovery task using Android’s WorkManager.

If the device itself is rebooted, a separate class named Ellsworth waits for reboot completion and triggers the Fitzgerald service again.

The Salvador Stealer tricks users into entering their banking credentials through a fake banking interface phishing page embedded in the app. Once the user submits their credentials, the data is immediately sent to both the C2 server and a Telegram bot. The data lands on a phishing website controlled by the attacker.

Salvador Stealer sends data to phishing site Stolen data sent to phishing site

By enabling HTTPS MITM Proxy mode in ANY.RUN’s Android sandbox, we were able to intercept and verify the exfiltration of user data in real time.

Credential theft attempts Credential theft attempts captured in the HTTP request logs

ANY.RUN’s analysts researched Salvador Stealer in depth by decoding the malware files and performing technical analysis, and made a number of interesting discoveries.

Gathering Threat Intelligence on Salvador Stealer malware

Threat intelligence provides critical insights into Salvador Stealer’s tactics, techniques, and procedures (TTPs). By analyzing data, organizations can:

  • Identify emerging Salvador Stealer campaigns and their delivery methods.
  • Use indicators of compromise(IOCs) like C2 server IPs or malware signatures to improve detection.
  • Update security policies based on intelligence about new variants or evasion techniques.

Use ANY.RUN’s Treat Intelligence Lookup to find more Salvador samples dissected in the Interactive Sandbox, watch their behavior in the network and on device, collect IOCs and IOBs.

threatName:"salvador"

Salvador Stealer samples found via TI Lookup Salvador Stealer public sandbox analyses found via TI Lookup

Security teams should integrate threat intelligence feeds that include mobile malware indicators, especially Android banking trojans and their associated infrastructure.

Collecting indicators and understanding the TTPs of Salvador Stealer operators enables better detection and prevention strategies. This intelligence should inform security awareness training programs and help organizations adapt their security controls to address specific threat actor behaviors.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

Salvador Stealer represents a significant evolution in mobile banking malware with its sophisticated technical capabilities and clever social engineering. Its advanced persistence mechanisms, real-time data exfiltration capabilities, and multi-channel command and control infrastructure make it particularly dangerous to both individual users and organizations.

Continuous vigilance and adaptation are required to enhance security practices. Businesses must invest in mobile security technologies, threat intelligence capabilities, and user education programs to stay ahead of these evolving threats.

Gather actionable intelligence via ANY.RUN’s TI Lookup: start with 50 trial requests.

HAVE A LOOK AT

INC Ransomware screenshot
INC Ransomware
inc
INC Ransomware is a ransomware-as-a-service (RaaS) spotted in mid-2023. It targets industries like retail, real estate, finance, healthcare, and education, primarily in the U.S. and UK. It encrypts and exfiltrates data demanding a ransom. It employs advanced evasion techniques, destroys backup, and abuses legitimate system tools at all the stages of the kill chain.
Read More
Ransomware screenshot
Ransomware
ransomware
Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.
Read More
Spyware screenshot
Spyware
spyware
Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage.
Read More
GootLoader screenshot
GootLoader
gootloader
GootLoader is an initial-access-as-a-service malware that operates by delivering the GootKit banking trojan and other malicious payloads. It utilizes techniques such as fileless execution and process injection to avoid detection. The malware is often distributed through SEO poisoning and compromised websites, deceiving users into downloading infected files.
Read More
Loader screenshot
Loader
loader downloader
A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.
Read More
Spynote screenshot
Spynote
spynote
SpyNote, also known as SpyMax and CypherRat, is a powerful Android malware family designed primarily for surveillance and data theft, often categorized as a Remote Access Trojan (RAT). Originally emerged in 2016, SpyNote has evolved significantly, with new variants continuing to appear as recently as 2023–2025.
Read More