Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Salvador Stealer

salvador
152
Global rank
152 infographic chevron month
Month rank
151 infographic chevron week
Week rank
0
IOCs

Salvador Stealer is a powerful, information-stealing Android malware designed to silently infiltrate systems, extract sensitive data, and exfiltrate it to cybercriminals. Often sold on underground forums, it is part of the growing ecosystem of “stealers-as-a-service” (SaaS) tools that target individuals and organizations alike.

Stealer
Type
Unknown
Origin
1 February, 2025
First seen
18 May, 2025
Last seen

How to analyze Salvador Stealer with ANY.RUN

Stealer
Type
Unknown
Origin
1 February, 2025
First seen
18 May, 2025
Last seen

IOCs

Last Seen at
4 May, 2025
Malicious activity
450a46974d091fd125de6b1770c3fdfca3e5a912d10cd056578c16a26f77d39f.apk
salvador
banker
stealer
telegram
4 May, 2025
Malicious activity
a020c8b91c6d5cb46e527cea7d094bf66ec2fb0725dc7bd66e368b2e323dd8f6.apk
salvador
banker
stealer
2 April, 2025
Malicious activity
INDUSLND_BANK_E_KYC.apk
salvador
banker
stealer
1 April, 2025
Malicious activity
INDUSLND_BANK_E_KYC.apk
salvador
banker
stealer
telegram
1 April, 2025
Malicious activity
INDUSLND_BANK_E_KYC.apk
salvador
banker
stealer
telegram
TRACK THEM ALL AT
Public Submissions
Last Seen at
4 May, 2025
Malicious activity
450a46974d091fd125de6b1770c3fdfca3e5a912d10cd056578c16a26f77d39f.apk
salvador
banker
stealer
telegram
4 May, 2025
Malicious activity
a020c8b91c6d5cb46e527cea7d094bf66ec2fb0725dc7bd66e368b2e323dd8f6.apk
salvador
banker
stealer
2 April, 2025
Malicious activity
INDUSLND_BANK_E_KYC.apk
salvador
banker
stealer
1 April, 2025
Malicious activity
INDUSLND_BANK_E_KYC.apk
salvador
banker
stealer
telegram
1 April, 2025
Malicious activity
INDUSLND_BANK_E_KYC.apk
salvador
banker
stealer
telegram
TRACK THEM ALL AT
Public Submissions

Recent blog posts

post image
How MSSPs Detect Incidents Early with Threat...
watchers 294
comments 0
post image
Free. Powerful. Actionable. Make Smarter Secu...
watchers 2514
comments 0
post image
Enterprise Plan: Boost SOC Performance, Reduc...
watchers 2726
comments 0

Contents

  • What is Salvador Stealer malware?
  • Salvador Stealer Victimology
  • What Salvador Stealer Can Do to User Device
  • How Salvador Stealer Threatens Businesses and Organizations
  • How Does Salvador Stealer Function?
  • Salvador Stealer Attack Chain Live
  • Gathering Threat Intelligence on Salvador Stealer malware
  • Conclusion

Recent blog posts

post image
How MSSPs Detect Incidents Early with Threat...
watchers 294
comments 0
post image
Free. Powerful. Actionable. Make Smarter Secu...
watchers 2514
comments 0
post image
Enterprise Plan: Boost SOC Performance, Reduc...
watchers 2726
comments 0

What is Salvador Stealer malware?

Salvador Stealer is a sophisticated Android banking malware that emerged in early 2025, designed to steal sensitive financial information through advanced social engineering and credential harvesting techniques. This mobile banking trojan masquerades as legitimate banking applications. It employs phishing infrastructure to capture critical user data including banking credentials, one-time passwords (OTPs), and personal identification information.

It is a multi-stage mobile stealer that operates through a dropper-payload architecture. Its primary components are a dropper APK that appears as a legitimate banking application, and a secondary payload (base.apk) containing the core malicious functionality. The malware uses sophisticated obfuscation techniques, including XOR encryption with the key "npmanager" to hide its malicious strings and communications.

Salvador bypasses traditional security measures by leveraging WebView technology to embed phishing pages directly within the application. This approach allows the malware to create a convincing user interface that mimics legitimate banking applications while maintaining direct communication with command and control servers. The persistence mechanisms include automatic restart capabilities and boot-time execution, ensuring continuous operation even after device reboots or manual termination attempts.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Salvador Stealer Victimology

The stealer primarily targets mobile banking users in India and other South Asian regions, as evidenced by its focus on collecting Aadhaar numbers and PAN card details (identification documents specific to the Indian financial system). The malware specifically targets users of popular Indian banking institutions by mimicking their mobile applications and branding.

Its broad spectrum of victims aggregates individuals, small businesses, and large enterprises. It focuses on users with access to valuable data, such as corporate credentials, financial accounts, or cryptocurrency wallets. Organizations in sectors like finance, healthcare, and technology are particularly vulnerable due to the high value of their data. Remote and hybrid work environments, especially those using Bring Your Own Device (BYOD) policies, are at higher risk because of relaxed security controls and increased attack surfaces.

What Salvador Stealer Can Do to User Device

Once installed on an endpoint device, Salvador Stealer can:

  • Steal Credentials: Extracts usernames, passwords, and session cookies from browsers and applications.
  • Harvest Financial Data: Targets credit card details, bank account information, and cryptocurrency wallet credentials.
  • Capture Keystrokes: Uses keyloggers to record user inputs, including unsaved passwords.
  • Hijack Clipboards: Replaces or steals data copied to the clipboard, such as account numbers or crypto addresses.
  • Take Screenshots: Captures screen content to gather sensitive information displayed at critical moments.
  • Exfiltrate Files: Collects local files, such as PDFs or documents containing personal or corporate data.

The malware significantly compromises device security by requesting and abusing critical Android permissions including SMS reception, SMS sending, and internet access. It creates fake notifications to maintain user engagement and establish a legitimate appearance. It also modifies system behavior by registering broadcast receivers that ensure automatic execution upon device startup and network changes.

How Salvador Stealer Threatens Businesses and Organizations

Salvador Stealer poses severe risks to businesses by enabling:

  • Data Breaches: Stolen credentials can lead to unauthorized access to corporate networks, facilitating larger attacks like ransomware.
  • Financial Loss: Theft of financial data or cryptocurrency can result in direct monetary losses.
  • Lateral Movement: Compromised credentials allow attackers to move within networks, targeting critical systems or data repositories.
  • Reputational Damage: Leaked customer or proprietary data can erode trust and lead to regulatory penalties.
  • Ransomware Enablement: Stolen data is often sold to ransomware groups for extortion or further attacks.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

How Does Salvador Stealer Function?

Salvador Stealer operates by infiltrating a system and running in the background to avoid detection. It employs a modular architecture, allowing attackers to customize its payload for specific targets. Upon execution, it scans for valuable data, such as browser-stored credentials, session tokens, and cryptocurrency wallets. The malware communicates with a command-and-control (C2) server to exfiltrate stolen data, often using encrypted channels to evade detection (including Telegram Bot API integration and traditional HTTP POST requests to attacker-controlled servers). Its lack of persistence mechanisms means it focuses on quick data theft, leaving minimal traces unless detected early.

The stealer spreads through common attack vectors, including phishing emails, malicious downloads, social engineering, and malwertising. Phishing pages are designed using WebView technology to closely mimic legitimate banking interfaces, complete with proper branding and user experience elements. The malware injects malicious JavaScript code that intercepts XMLHttpRequest operations, ensuring that all user inputs are captured and forwarded to the attackers.

Advanced SMS interception capabilities allow Salvador Stealer to capture one-time passwords and two-factor authentication codes in real-time. The malware implements dynamic SMS forwarding, where it contacts remote servers to retrieve current forwarding numbers, allowing attackers to modify their collection infrastructure without updating the malware. This flexibility makes the malware particularly dangerous as it can adapt to changing operational requirements.

Salvador Stealer Attack Chain Live

We can see how exactly the above-mentioned tactics, technologies, and approaches combine Salvador’s execution chain by watching its sample detonated in ANY.RUN’s Interactive Sandbox.

View sandbox analysis of Salvador Stealer

Salvador Stealer malware analysis in the Sandbox Salvador Stealer malware analysis in the Sandbox

The two key components art Dropper APK that installs and triggers the second-stage payload, and Base.apk, the actual payload responsible for data theft.

The dropper APK declares specific permissions and intent filters in its AndroidManifest.xml, including package installing.

Once executed, base.apk exhibits several key behaviors:

  1. It establishes a connection to Telegram, which the attackers use as a Command and Control (C2) server to receive stolen data and manage the infection.
  2. It triggers the signature “Starts itself from another location,” confirming that it was dropped and launched by the initial dropper APK rather than being installed directly.

After loading the phishing WebView it requests several Android permissions, including:

  • RECEIVE_SMS
  • SEND_SMS
  • READ_SMS
  • INTERNET

These permissions are essential for the malware’s goals: intercepting one-time passwords (OTPs) and forwarding them. Once the permissions are granted, the initiateForegroundServiceIfRequired() method is called, launching the Fitzgerald service.

This foreground service creates a fake notification (“Customer support”) and more importantly, it immediately registers a broadcast receiver to intercept incoming SMS. This is the real starting point of the OTP interception process. Every incoming message is captured and parsed by Earnestine. From the PDU, the malware extracts the message body, sender’s number, and timestamp.

Even if the user or system tries to terminate the app’s background service, the malware is programmed to automatically restart it. When the Fitzgerald service is killed or swiped away, it immediately schedules a recovery task using Android’s WorkManager.

If the device itself is rebooted, a separate class named Ellsworth waits for reboot completion and triggers the Fitzgerald service again.

The Salvador Stealer tricks users into entering their banking credentials through a fake banking interface phishing page embedded in the app. Once the user submits their credentials, the data is immediately sent to both the C2 server and a Telegram bot. The data lands on a phishing website controlled by the attacker.

Salvador Stealer sends data to phishing site Stolen data sent to phishing site

By enabling HTTPS MITM Proxy mode in ANY.RUN’s Android sandbox, we were able to intercept and verify the exfiltration of user data in real time.

Credential theft attempts Credential theft attempts captured in the HTTP request logs

ANY.RUN’s analysts researched Salvador Stealer in depth by decoding the malware files and performing technical analysis, and made a number of interesting discoveries.

Gathering Threat Intelligence on Salvador Stealer malware

Threat intelligence provides critical insights into Salvador Stealer’s tactics, techniques, and procedures (TTPs). By analyzing data, organizations can:

  • Identify emerging Salvador Stealer campaigns and their delivery methods.
  • Use indicators of compromise(IOCs) like C2 server IPs or malware signatures to improve detection.
  • Update security policies based on intelligence about new variants or evasion techniques.

Use ANY.RUN’s Treat Intelligence Lookup to find more Salvador samples dissected in the Interactive Sandbox, watch their behavior in the network and on device, collect IOCs and IOBs.

threatName:"salvador"

Salvador Stealer samples found via TI Lookup Salvador Stealer public sandbox analyses found via TI Lookup

Security teams should integrate threat intelligence feeds that include mobile malware indicators, especially Android banking trojans and their associated infrastructure.

Collecting indicators and understanding the TTPs of Salvador Stealer operators enables better detection and prevention strategies. This intelligence should inform security awareness training programs and help organizations adapt their security controls to address specific threat actor behaviors.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

Salvador Stealer represents a significant evolution in mobile banking malware with its sophisticated technical capabilities and clever social engineering. Its advanced persistence mechanisms, real-time data exfiltration capabilities, and multi-channel command and control infrastructure make it particularly dangerous to both individual users and organizations.

Continuous vigilance and adaptation are required to enhance security practices. Businesses must invest in mobile security technologies, threat intelligence capabilities, and user education programs to stay ahead of these evolving threats.

Gather actionable intelligence via ANY.RUN’s TI Lookup: start with 50 trial requests.

HAVE A LOOK AT

Phobos screenshot
Phobos
phobos ransomware
Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.
Read More
PureCrypter screenshot
PureCrypter
purecrypter
First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system.
Read More
Maze screenshot
Maze
maze ransomware
Maze is ransomware — a malware type that encrypts the victim’s files and restores the data in exchange for a ransom payment. One of the most distinguishable features of Maze is that it is one of the first malware of the kind to publicly release stolen data.
Read More
Sliver screenshot
Sliver
sliver
Sliver is an open-source command-and-control (C2) framework that has been increasingly adopted by threat actors as an alternative to tools like Cobalt Strike. Developed by security firm Bishop Fox, Sliver was initially intended for legitimate security testing and red teaming exercises. However, its robust features and open-source nature have made it attractive to malicious actors seeking to control compromised systems.
Read More
Quasar RAT screenshot
Quasar RAT
quasar trojan rat
Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.
Read More
Gh0st RAT screenshot
Gh0st RAT
gh0st
Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.
Read More