Cybersecurity experts have recently identified a sophisticated Android malware named Salvador Stealer, designed to illicitly obtain banking credentials and one-time passwords (OTPs) through deceptive phishing tactics. This malware poses a significant risk to users by masquerading as legitimate banking applications, thereby tricking individuals into divulging sensitive financial information.
Infection Mechanism
Salvador Stealer employs a two-stage infection process:
1. Dropper APK: The initial stage involves a dropper application that, once installed, discreetly downloads and executes the primary malicious payload without the user’s knowledge.
2. Malicious Payload: The secondary stage activates the core malware, which presents a convincing banking interface to the user. This interface prompts for personal information, including mobile numbers, Aadhaar numbers, PAN card details, and net banking credentials.
This method effectively deceives users into believing they are interacting with a legitimate banking application, thereby increasing the likelihood of data compromise.
Discovery and Analysis
Security analysts at ANY.RUN identified Salvador Stealer during routine malware monitoring operations on April 1, 2025. The malware’s name originates from internal references to Salvador found within its code, particularly in the SharedPreferences storage keys where configuration data is maintained.
A notable feature of Salvador Stealer is its capability to intercept SMS messages, allowing it to capture OTPs sent by banks. This function effectively bypasses two-factor authentication, a common security measure employed by financial institutions.
SMS Interception Mechanism
Upon installation, Salvador Stealer requests critical permissions, including RECEIVE_SMS, READ_SMS, and SEND_SMS. The malware registers a broadcast receiver to monitor incoming messages. When an SMS arrives, it extracts the message content, sender number, and timestamp.
To exfiltrate the intercepted data, Salvador Stealer employs dual channels:
1. Primary Channel: The malware attempts to forward intercepted messages to a phone number retrieved from a command server.
2. Secondary Channel: If the primary method fails, it resorts to sending the captured data via HTTP POST requests to another endpoint as JSON payloads.
This dual-channel approach ensures the successful transmission of stolen information to the attackers.
Persistence and Evasion Techniques
Salvador Stealer incorporates sophisticated mechanisms to maintain persistence on the infected device:
– Service Rescheduling: Even if users terminate the malicious service, the malware utilizes Android’s WorkManager to reschedule itself, ensuring continuous operation.
– Boot Persistence: The malware registers for the BOOT_COMPLETED broadcast, allowing it to automatically restart after the device is rebooted.
These techniques make it challenging for users to detect and remove the malware from their devices.
Implications and Recommendations
The emergence of Salvador Stealer underscores the evolving tactics employed by cybercriminals to compromise personal and financial information. By intercepting OTPs, the malware effectively nullifies the protective measures offered by two-factor authentication.
To mitigate the risk of infection:
– Download Applications from Trusted Sources: Only install apps from official app stores and verify the authenticity of the developer.
– Review App Permissions: Be cautious of applications requesting excessive permissions unrelated to their intended functionality.
– Maintain Updated Security Software: Ensure that your device’s operating system and security applications are up to date to protect against known vulnerabilities.
– Exercise Caution with Links and Attachments: Avoid clicking on suspicious links or opening attachments from unknown sources, as these may lead to malware installation.
By adopting these practices, users can enhance their defense against threats like Salvador Stealer and safeguard their sensitive information.
