Stolen SMS messages reach hackers even without an internet connection.
Security analysts at ANY.RUN have identified a new piece of Android malware named Salvador Stealer. Its main objective is to harvest banking credentials and one-time passwords (OTP). The infection begins with a dropper disguised as a legitimate banking app. Once installed, it silently downloads and launches the main malicious payload without the user’s knowledge.
Salvador Stealer primarily targets users in India and is designed to steal personal information such as mobile phone numbers, Aadhaar numbers, PAN card details, date of birth, and online banking credentials. All this data is simultaneously sent to a fake website and to a Telegram bot. The malware features a built-in phishing page that perfectly mimics real banking interfaces to deceive users into entering their sensitive data.
One of its most dangerous capabilities is intercepting incoming SMS messages, allowing attackers to grab OTP codes used in two-factor authentication. Once captured, this sensitive information is transmitted either via regular SMS to a predefined number or through an HTTP request to a remote server — ensuring data delivery even with unstable internet connections.
The malware maintains persistence using several techniques. It automatically restarts if closed and reactivates upon device reboot. This is achieved through system broadcast receivers and high-priority background services. The malicious code is embedded in multiple components, including hidden classes responsible for keeping the malware resident in the device's memory.
An analysis of the malicious APK revealed that data is encrypted using XOR with a static key: “npmanager”. Upon decryption, researchers were able to uncover the command structure used for intercepting messages and transmitting them to external resources. The malware uses a WebView component with active JavaScript to load malicious pages. It also tracks all AJAX requests, intercepting submitted data and sending it to Telegram.
The infrastructure supporting Salvador Stealer was found to be partially exposed. Both the admin panel and phishing pages were accessible without authentication. Moreover, a WhatsApp number registered in India was discovered in the backend, potentially revealing the developers’ location.
Salvador Stealer poses a serious threat not only to regular users — risking theft of money and personal data — but also to financial institutions, by increasing fraud cases and damaging customer trust. These types of threats are becoming more sophisticated, combining phishing, traffic interception, and resilient persistence mechanisms.
Experts emphasize that detecting such threats requires not only static analysis but also real-time behavioral monitoring. The use of interactive sandboxes allows researchers to observe malware behavior, identify infrastructure, and respond quickly to incidents.