Salvador Stealer is a newly discovered Android malware that poses as a banking application to steal sensitive user information. It employs a multi-stage attack chain, utilizing a dropper APK to install the main payload. The malware incorporates a phishing website within the app to collect personal and banking data, including Aadhaar numbers, PAN card details, and net banking credentials. It exfiltrates stolen information in real-time to both a phishing server and a Telegram-based Command and Control server. Salvador Stealer also intercepts SMS messages to capture one-time passwords and banking verification codes, bypassing two-factor authentication. The malware demonstrates persistence mechanisms, automatically restarting itself if stopped and surviving device reboots. Analysis revealed exposed infrastructure, including an accessible admin panel, potentially linking the attacker to India. Author: AlienVault
Related Tags:
Salvador Stealer
sms interception
British Indian Ocean Territory
data exfiltration
credential stealing
Banking
persistence
Finance
India
Associated Indicators:
21504D3F2F3C8D8D231575CA25B4E7E0871AD36CA6BBB825BF7F12BFC3B00F5A
https://t15.muletipushpa.cloud/json/number.php
https://t15.muletipushpa.cloud/post.php
https://t15.muletipushpa.cloud/page/
http://t15.muletipushpa.cloud/page/start.php
http://t15.muletipushpa.cloud/admin/login.php