Cybersecurity researchers at ANY.RUN have discovered a sophisticated new Android malware called βSalvador Stealerβ that targets banking credentials and one-time passwords (OTPs) through an elaborate phishing scheme.This multi-stage malware masquerades as legitimate banking applications to trick users into revealing sensitive financial information.
The malware employs a two-stage infection process, beginning with a dropper APK that silently installs and launches the actual banking stealer payload.Once active, Salvador Stealer displays a convincing banking interface that prompts victims to enter personal information including mobile numbers, Aadhaar numbers, PAN card details, and net banking credentials.
Security analysts at ANY.RUN identified the threat during routine malware monitoring operations on April 1, 2025.
Their analysis revealed that the malwareβs name derives from internal references to βSalvadorβ found in the malwareβs code, specifically in SharedPreferences storage keys where configuration data is maintained.
βWhat makes Salvador Stealer particularly dangerous is its ability to steal both login credentials and the OTPs needed to bypass two-factor authentication,β explained researchers in their detailed analysis report.
βThis effectively nullifies one of the most common security measures implemented by financial institutions.β
SMS Interception Mechanism >>>
The malwareβs most concerning capability is its sophisticated SMS interception mechanism, which allows attackers to capture authentication codes sent by banks.
Upon installation, Salvador Stealer requests critical permissions including RECEIVE_SMS, READ_SMS, and SEND_SMS.
The interception process begins in the Fitzgerald service class, which registers a broadcast receiver named Earnestine to monitor incoming messages:
this.smsReceiver = new Earnestine();registerReceiver(this.smsReceiver, new IntentFilter("android.provider.Telephony.SMS_RECEIVED"));When an SMS arrives, the malware extracts the message content, sender number, and timestamp:
SmsMessage sms = SmsMessage.createFromPdu((byte[]) pdu, "3gpp");String messageBody = sms.getMessageBody();String senderId = sms.getOriginatingAddress();long timestamp = sms.getTimestampMillis();Donβt risk your companyβs systems, open suspicious files and URLs Inside ANY.RUN Sandbox
Salvador Stealer employs dual exfiltration channels to ensure successful data theft. It first attempts to forward intercepted messages to a phone number retrieved from a command server at βhttps://t15.muletipushpa.cloud/json/number.phpβ.
If this fails, the malware falls back to HTTP POST requests, sending captured data to another endpoint as JSON payloads.
To maintain persistence, the malware implements sophisticated restart mechanisms.
Even if users terminate the service, Salvador Stealer uses Androidβs WorkManager to reschedule itself.
It also survives device reboots by registering for the BOOT_COMPLETED broadcast.
The discovery of the malwareβs admin panel, which is currently publicly accessible, revealed a WhatsApp contact number with an Indian country code, suggesting possible connections to threat actors in that region.
Security experts recommend users remain vigilant about banking app installations and verify all applications through official channels only.