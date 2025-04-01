DUBAI, DUBAI, UNITED ARAB EMIRATES, April 1, 2025 /EINPresswire.com/ -- ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, has uncovered a new Android malware variant, internally naming it Salvador Stealer. Disguised as a legitimate banking application, this malware is designed to steal sensitive personal and financial data, including net banking credentials and OTPs.

𝐇𝐨𝐰 𝐒𝐚𝐥𝐯𝐚𝐝𝐨𝐫 𝐒𝐭𝐞𝐚𝐥𝐞𝐫 𝐖𝐨𝐫𝐤𝐬

Salvador Stealer follows a two-stage infection chain. It is first delivered as a dropper APK, which silently installs a second-stage payload — the actual banking credential stealer.

Once active, the malware displays a fake banking interface inside the app to trick users into entering their personal and banking details. It also abuses SMS permissions to intercept OTPs and verification codes, allowing attackers to bypass two-factor authentication.

𝐊𝐞𝐲 𝐟𝐢𝐧𝐝𝐢𝐧𝐠𝐬

· 𝗧𝘄𝗼-𝘀𝘁𝗮𝗴𝗲 𝗶𝗻𝗳𝗲𝗰𝘁𝗶𝗼𝗻 𝗰𝗵𝗮𝗶𝗻: Dropper APK installs the banking stealer payload.

· 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴-𝗯𝗮𝘀𝗲𝗱 𝗰𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹 𝘁𝗵𝗲𝗳𝘁: Victims are tricked into entering personal and banking data.

· 𝗥𝗲𝗮𝗹-𝘁𝗶𝗺𝗲 𝗲𝘅𝗳𝗶𝗹𝘁𝗿𝗮𝘁𝗶𝗼𝗻: Stolen information is sent to a phishing server and Telegram C2.

· 𝗢𝗧𝗣 𝗶𝗻𝘁𝗲𝗿𝗰𝗲𝗽𝘁𝗶𝗼𝗻: The malware captures incoming SMS messages to steal OTPs.

· 𝗣𝗲𝗿𝘀𝗶𝘀𝘁𝗲𝗻𝗰𝗲 𝘁𝗲𝗰𝗵𝗻𝗶𝗾𝘂𝗲𝘀: Automatically restarts after being stopped and survives device reboots.

· 𝗘𝘅𝗽𝗼𝘀𝗲𝗱 𝗶𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲: Publicly accessible admin panel and attacker’s contact information.

To explore the full technical analysis and see how Salvador Stealer operates in real time, visit the detailed report on the ANY.RUN Blog.

𝐀𝐛𝐨𝐮𝐭 𝐀𝐍𝐘.𝐑𝐔𝐍

ANY.RUN is a leading provider of interactive malware analysis and threat intelligence solutions. Trusted by over 15,000 companies and more than 500,000 cybersecurity professionals worldwide, ANY.RUN empowers security teams to detect, analyze, and investigate cyber threats in real time across Windows, Linux, and Android environments. Every day, the platform processes more than 20,000 malware samples, helping organizations stay ahead of evolving cyber threats.

