Salvador Stealer is a sophisticated Android banking trojan that targets financial applications through advanced phishing techniques. This malware creates convincing fake banking interfaces to steal credentials, intercepts SMS messages to bypass two-factor authentication, and sends sensitive data directly to cybercriminals. In this analysis, we’ll examine how Salvador Stealer works and provide actionable steps to protect your mobile device.
Source: Kaspersky Security Bulletin
What is Salvador Stealer? Key Threat Information
Salvador Stealer emerged in 2023 as a targeted Android banking malware designed to steal financial credentials and one-time passwords (OTPs). Security researchers at ANY.RUN first documented this threat, providing critical insights into its operation and highlighting its particular focus on banking applications.
| Attribute | Details |
|---|---|
| Malware Type | Banking Trojan, Information Stealer |
| Platform | Android |
| Discovery Date | 2023 |
| Main Targets | Banking Applications, Financial Data |
| Primary Dropper Hash (SHA256) | 21504D3F2F3C8D8D231575CA25B4E7E0871AD36CA6BBB825BF7F12BFC3B00F5A |
| Payload Hash (SHA256) | 7950CC61688A5BDDBCE3CB8E7CD6BEC47EEE9E38DA3210098F5A5C20B39FB6D8 |
| Affected Regions | Global (Suspected origin: India) |
The malware derives its name from internal references found in its configuration files, specifically within SharedPreferences storage keys. Unlike less sophisticated threats, Salvador Stealer creates highly convincing fake banking interfaces that are nearly indistinguishable from legitimate apps. Its primary objective is to harvest sensitive financial information including:
- Mobile numbers registered with banking services
- Government ID numbers (Aadhaar and PAN cards)
- Personal details including dates of birth
- Net banking credentials (user IDs and passwords)
- One-time passwords sent via SMS
Technical Analysis of Salvador Stealer Infection Chain
Salvador Stealer employs a sophisticated two-stage infection strategy that helps it bypass security measures. Understanding this technical process is crucial for protecting your mobile device from similar threats.
Initial Infection and Installation Process
The infection begins with a seemingly innocent dropper application (identified as INDUSLND_BANK_E_KYC.apk) that users are tricked into installing outside of the Google Play Store. This initial app requests dangerous permissions in its AndroidManifest.xml:
<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES"/>
<intent-filter>
<action android:name="com.example.android.apis.content.SESSION_API_PACKAGE_INSTALLED" android:exported="true"/>
</intent-filter>
These permissions allow it to install additional applications without going through the Play Store. The dropper then installs the main payload, named Base.apk.
The payload application uses sophisticated obfuscation techniques to hide its malicious code. Specifically, it employs XOR encryption with the key “npmanager” to disguise strings and commands, making traditional detection methods less effective. Security researchers can decode these strings using tools like CyberChef with the following recipe:
From_Hex('Auto')XOR({'option':'Latin1','string':'npmanager'},'Standard',false)
Data Theft Techniques and Mechanisms
Once installed, Salvador Stealer deploys several methods to steal sensitive information:
- Overlay Attacks: The malware uses Android’s WebView component to display convincing phishing pages that mimic legitimate banking applications. The malware loads phishing pages from domains like “t15.muletipushpa.cloud/page/”.
- JavaScript Injection: Salvador injects custom JavaScript code that hooks XMLHttpRequest functions to intercept user inputs on these fake pages, capturing credentials as they’re entered.
- SMS Interception: By requesting permissions like RECEIVE_SMS, READ_SMS, SEND_SMS, and INTERNET, the malware can capture one-time passwords sent via text message, effectively bypassing two-factor authentication security.
| Permission | Purpose | Impact |
|---|---|---|
RECEIVE_SMS |
Intercept incoming SMS messages | Allows theft of OTPs and verification codes |
READ_SMS |
Access existing SMS messages | Can extract previously received banking codes |
SEND_SMS |
Send SMS messages | Enables malware to spread via text messages |
INTERNET |
Network access | Required for data exfiltration |
REQUEST_INSTALL_PACKAGES |
Install additional apps | Allows installation of additional malicious components |
SMS Interception Technical Implementation
Salvador Stealer implements SMS interception through a broadcast receiver named “Earnestine” that extracts message content using Android’s SmsMessage.createFromPdu() method. When an SMS is received, the malware extracts:
- Message body (containing OTP codes)
- Sender ID (to identify banking sources)
- Timestamp
Data Exfiltration and Command Infrastructure
Salvador Stealer sends stolen data to attackers through multiple channels:
- Telegram API: The primary exfiltration method uses Telegram bot with token
7931012454:AAGdsBp3w5fSE9PxdrwNUopr3SU86mFQieEand chat ID-1002480016557to send stolen information directly to the attackers. - HTTPS Endpoints: Secondary collection servers with domain names like “muletipushpa.cloud” receive and process stolen data through endpoints such as
https://t15.muletipushpa.cloud/json/number.phpfor dynamic SMS forwarding. - Real-time Data Theft: The malware sends information immediately via HTTP POST requests after capture, allowing attackers to use time-sensitive data like OTPs before they expire.
| IOC Type | Indicator | Context |
|---|---|---|
| Domain | t01.muletipushpa.cloud to t15.muletipushpa.cloud |
Phishing infrastructure |
| URL | https://t15.muletipushpa.cloud/page/start.php |
Phishing page entry point |
| URL | https://t15.muletipushpa.cloud/admin/login.php |
Admin panel |
| Telegram Bot | 7931012454:AAGdsBp3w5fSE9PxdrwNUopr3SU86mFQieE |
C2 communication channel |
| Phone Number | +916306285085 |
Associated WhatsApp contact (India) |
Analysis of the command infrastructure has revealed connections to phishing admin panels and a WhatsApp contact with an Indian country code (+91), suggesting potential geographic origins of the threat actors.
Persistence Mechanisms
Salvador Stealer uses several techniques to maintain its presence on infected devices:
- WorkManager API: The malware uses a class named “Mauricio” to schedule automatic restarts with a one-second delay if terminated:
WorkRequest serviceRestartWork = new OneTimeWorkRequest.Builder(Mauricio.class)
.setInitialDelay(1L, TimeUnit.SECONDS)
.build();
WorkManager.getInstance(getApplicationContext()).enqueue(serviceRestartWork);
- Boot Completion Receiver: A class named “Ellsworth” listens for the system-wide BOOT_COMPLETED broadcast to ensure the malware starts after device restart:
public class Ellsworth extends BroadcastReceiver {
@Override
public void onReceive(Context context, Intent intent) {
if (intent.getAction().equals("android.intent.action.BOOT_COMPLETED")) {
Intent serviceIntent = new Intent(context, (Class<?>) Fitzgerald.class);
context.startService(serviceIntent);
}
}
}
- Background Services: Service components that run continuously, monitoring user activity and intercepting sensitive data
YARA Rule for Salvador Stealer Detection
rule Salvador_Stealer_Android {
meta:
description = "Detects Salvador Stealer Android banking malware"
author = "GridinSoft Security Team"
date = "2023-09-15"
version = "1.0"
hash = "7950CC61688A5BDDBCE3CB8E7CD6BEC47EEE9E38DA3210098F5A5C20B39FB6D8"
strings:
$xor_key = "npmanager"
$telegrambot = "7931012454:AAGdsBp3w5fSE9PxdrwNUopr3SU86mFQieE"
$class1 = "Earnestine"
$class2 = "Mauricio"
$class3 = "Ellsworth"
$class4 = "Fitzgerald"
$domain = "muletipushpa.cloud"
$permission1 = "android.permission.REQUEST_INSTALL_PACKAGES"
$permission2 = "android.permission.RECEIVE_SMS"
condition:
$xor_key and
1 of ($telegrambot, $domain) and
2 of ($class*) and
all of ($permission*)
}
How to Protect Your Device from Salvador Stealer
Salvador Stealer represents a significant threat to Android users, particularly those who use mobile banking applications. Here are concrete steps to protect your device and financial information:
Preventive Security Measures
- Install apps only from official sources: Always download banking and financial applications exclusively from the Google Play Store, never from third-party app stores or direct APK downloads.
- Verify app authenticity: Before installing banking apps, visit your bank’s official website to find links to their legitimate mobile applications.
- Check app permissions: Be suspicious of any app requesting SMS permissions, installation permissions, or accessibility services that seem unnecessary for its stated function.
- Keep your device updated: Install Android security updates promptly as they often patch vulnerabilities that malware exploits.
- Block known domains: If you manage network security, block connections to domains in the IOC list, particularly those under the “muletipushpa.cloud” namespace.
Detection and Removal
If you suspect your device might be infected with Salvador Stealer or similar malware:
- Check for unfamiliar apps in your application list, particularly those with generic names or icons, including those masquerading as banking applications.
- Monitor your battery usage – malware often causes abnormal battery drain due to constant background activity.
- Examine your SMS permissions – look for apps with SMS reading permissions that shouldn’t need them.
- Install and run Trojan Scanner for Android to detect and remove malicious applications.
- If infected, change passwords for all financial accounts using a different, secure device.
- Contact your bank immediately if you suspect unauthorized access to your accounts.
- Factory reset your device if removal attempts are unsuccessful, after backing up important data.
Technical Impact Assessment
| Entity | Impact |
|---|---|
| Individual Users | Financial fraud, identity theft, unauthorized account access |
| Banking Institutions | Increased fraud cases, reputation damage, customer trust issues |
| Security Teams | Challenges detecting multi-stage infection, real-time exfiltration tactics |
| Mobile Ecosystem | Highlights risks of side-loading applications and permission abuse |
Conclusion: Staying Vigilant Against Mobile Banking Threats
Salvador Stealer demonstrates the increasing sophistication of mobile banking malware. By combining phishing techniques, SMS interception, and persistent infection mechanisms, it poses a serious threat to financial security. Regular security audits of your device, cautious app installation practices, and monitoring account activity are essential practices for protecting your financial information in today’s mobile-first banking environment.
For additional protection against similar threats, consider implementing comprehensive mobile security best practices and using trusted security solutions designed specifically for Android devices.
