{ "name": "Analysis of New Mobile Banking Malware", "slug": "analysis-of-new-mobile-banking-malware", "description": "Salvador Stealer is a newly discovered Android malware that poses as a banking application to steal sensitive user information. It employs a multi-stage attack chain, utilizing a dropper APK to install the main payload. The malware incorporates a phishing website within the app to collect personal and banking data, including Aadhaar numbers, PAN card details, and net banking credentials. It exfiltrates stolen information in real-time to both a phishing server and a Telegram-based Command and Control server. Salvador Stealer also intercepts SMS messages to capture one-time passwords and banking verification codes, bypassing two-factor authentication. The malware demonstrates persistence mechanisms, automatically restarting itself if stopped and surviving device reboots. Analysis revealed exposed infrastructure, including an accessible admin panel, potentially linking the attacker to India.", "published": "2025-04-01T19:23:35+00:00", "created_at": "2025-04-01T19:23:35+00:00", "modified_at": "2025-04-02T06:28:56+00:00", "created_at_opencti": "2025-04-01T19:23:35+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-04-01", "android", "banking", "credential stealing", "data exfiltration", "otp theft", "persistence", "phishing", "salvador stealer", "sms interception" ], "related_entities": { "malware": [ { "id": "c363335c-0eb4-4cd8-9f6d-147dbe6fd0de", "name": "Salvador Stealer", "slug": "salvador-stealer" } ], "others": [ { "id": "", "name": "British Indian Ocean Territory" }, { "id": "", "name": "India" }, { "id": "", "name": "Finance" } ] }, "external_refs": [ "https://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/", "https://otx.alienvault.com/pulse/67ec5957bfba1cac452b1059" ] }