Cybersecurity researchers have discovered a sophisticated new Android malware called “Salvador Stealer” that targets banking credentials and one-time passwords (OTPs) through an elaborate phishing scheme. Once active, Salvador Stealer displays a convincing banking interface that prompts victims to enter personal information including mobile numbers, Aadhaar numbers, PAN card details, and net banking credentials. “What makes Salvador Stealer particularly dangerous is its ability to steal both login credentials and the OTPs needed to bypass two-factor authentication,” explained researchers in their detailed analysis report. The malware employs a two-stage infection process, beginning with a dropper APK that silently installs and launches the actual banking stealer payload. Their analysis revealed that the malware’s name derives from internal references to “Salvador” found in the malware’s code, specifically in SharedPreferences storage keys where configuration data is maintained. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This multi-stage malware masquerades as legitimate banking applications to trick users into revealing sensitive financial information. Security experts recommend users remain vigilant about banking app installations and verify all applications through official channels only. The discovery of the malware’s admin panel, which is currently publicly accessible, revealed a WhatsApp contact number with an Indian country code, suggesting possible connections to threat actors in that region. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Salvador Stealer employs dual exfiltration channels to ensure successful data theft. Upon installation, Salvador Stealer requests critical permissions including RECEIVE_SMS, READ_SMS, and SEND_SMS. Security analysts at ANY.RUN identified the threat during routine malware monitoring operations on April 1, 2025. Even if users terminate the service, Salvador Stealer uses Android’s WorkManager to reschedule itself.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 02 Apr 2025 13:20:07 +0000