Android users in India—and potentially worldwide—are being targeted by a new and dangerous malware called Salvador Stealer. Disguised as a legitimate banking application, Salvador Stealer is an information-stealing trojan that extracts sensitive data and sends it to attackers via the Telegram Bot API. This malware is a potent example of how cybercriminals are using social engineering and fake apps to compromise personal security.
Once installed, Salvador Stealer tricks users by presenting counterfeit forms that request highly sensitive information. These forms ask for credentials such as the Aadhaar number, PAN card details, date of birth, mobile number, and online banking login credentials. All data entered into these forms is silently transmitted to attacker-controlled servers.
Threat Summary
Attribute | Details |
---|---|
Name | Salvador Stealer (a.k.a. Salvador Information Stealer) |
Threat Type | Android malware, Information stealer |
Detection Names | Avast (APK:RepMalware [Trj]), Combo Cleaner (Android.Trojan.Banker.ATF), ESET-NOD32 (Multiple Detections), Kaspersky (HEUR:Trojan-Banker.AndroidOS.Rewardsteal.lv) |
Associated Emails | N/A (uses Telegram Bot API for exfiltration) |
Symptoms of Infection | Slow performance, unauthorized system changes, new suspicious apps, fast battery drain, intrusive ads, browser redirects |
Distribution Methods | Fake banking apps, malicious email attachments, infected ads, scam websites, social engineering |
Damage | Identity theft, financial losses, OTP hijacking, stolen personal info, data leaks |
Danger Level | High – due to persistent access, OTP interception, and sensitive data theft |
How Salvador Stealer Operates
The most alarming feature of Salvador Stealer is its ability to intercept incoming SMS messages, including One-Time Passwords (OTPs) and bank verification codes. By hijacking these messages, the malware can bypass two-factor authentication (2FA), giving hackers near-complete access to a user’s banking information and other sensitive accounts.
To maintain control over the infected device, Salvador Stealer utilizes persistence techniques. It can automatically relaunch after a reboot, making removal challenging. It continuously monitors activity, harvests information, and transmits stolen data—leaving users vulnerable to identity theft, financial fraud, and privacy invasion.
Though this stealer primarily targets Indian Android users, it can easily be modified to target individuals in other countries. The implications of its presence on a device are devastating, making it essential for users to act quickly upon detection.
General Signs Your Android Device Has Malware
- Unusual battery drain
- Sluggish performance or overheating
- Annoying pop-up ads—even when not using a browser
- Unauthorized app installs or unfamiliar apps
- Unexpected spikes in data usage
- Redirects when browsing or locked browser tabs
- Sudden crashes or reboots
- Disabled antivirus or security settings
How to Check for Malware by Device Type
Android Phones & Tablets
Step 1: Boot into Safe Mode
- Hold the Power button until the power menu appears
- Long-press Power off, then tap Reboot to safe mode
- This disables third-party apps temporarily
Step 2: Check App List
- Go to Settings > Apps > See all apps
- Look for:
- Apps you didn’t install
- Apps with generic names (e.g., “Update Service” or “Security Tool”)
- Apps with excessive permissions
Step 3: Use Google Play Protect
- Open Google Play Store
- Tap your profile icon > Play Protect
- Tap Scan
Android TV Devices
Step 1: Check Installed Apps
- Go to Settings > Apps
- Look for unrecognized or recently installed apps
Step 2: Review Sideloaded APKs
- Use a file manager (e.g., X-plore File Manager) to inspect sideloaded apps
- Avoid APKs from sources other than APKMirror or Google Play
Step 3: Scan Using Sideloaded Antivirus
You can install:
- Malwarebytes
- Bitdefender
Use APKMirror to sideload if unavailable in Play Store
Step 4: Factory Reset if Infected
- Go to Settings > Device Preferences > Reset > Factory data reset
Android Emulators (e.g., BlueStacks, NoxPlayer, LDPlayer)
Step 1: Check Installed Apps
- Open emulator > Settings > Apps
- Remove unknown apps or those not installed via Play Store
Step 2: Install Antivirus Inside the Emulator
- Use Google Play in the emulator to install:
- ESET Mobile Security
- Malwarebytes
Step 3: Monitor Network Activity
- On PC: Use tools like Wireshark or GlassWire
- Or install a firewall app within the emulator
Step 4: Reset or Reinstall Emulator
- Reset to a clean snapshot or uninstall and reinstall the emulator
Section 3: Manual Removal Steps (All Devices)
1. Remove Suspicious Apps Manually
- Go to Settings > Apps > [App] > Uninstall
- If app is a device admin:
- Settings > Security > Device admin apps
- Disable admin rights, then uninstall
2. Clear App Data and Cache
- Settings > Storage > Cached data
- Settings > Apps > [App] > Storage > Clear Data & Cache
3. Revoke Dangerous Permissions
- Settings > Privacy > Permission Manager
- Revoke camera, SMS, and location access from unfamiliar apps
4. Check Accessibility & Admin Settings
- Settings > Accessibility > Installed Services
- Settings > Security > Device admin apps
Section 4: Preventing Future Malware Infections
- Avoid third-party app stores unless trusted (e.g., F-Droid, APKMirror)
- Enable Google Play Protect
- Keep system and apps up to date
- Use a VPN on public Wi-Fi
- Do not click unknown links in texts or emails
- Review app permissions before installation
- Enable Two-Factor Authentication (2FA) when available
Section 5: When to Perform a Factory Reset
Do this if:
- A malicious app cannot be removed
- Malware persists after antivirus scans
- Device performance is severely affected
How to Factory Reset:
- Settings > System > Reset > Factory data reset
- Back up important data before proceeding
Summary Checklist
Action | Device Type | Tools/Notes |
---|---|---|
Safe Mode | Phones/Tablets | Isolate third-party apps |
App Audit | All | Settings > Apps |
Antivirus Scan | All | Malwarebytes, Bitdefender |
Factory Reset | All | Last resort step |
Emulator Cleanup | Emulators | Reset or reinstall software |
App Permission Review | All | Revoke unnecessary access |
Bonus Tip: Use a Security Suite
For ongoing protection, consider installing a comprehensive mobile security suite that includes:
- Real-time scanning
- Anti-phishing tools
- VPN
- Call and SMS blocking
- App lock features
Conclusion
Salvador Stealer represents a serious threat to Android users, especially in regions like India where Aadhaar and PAN card details are linked to critical financial infrastructure. Its ability to collect detailed personal information, intercept OTPs, and maintain persistence on a device underscores the increasing sophistication of mobile malware. Users must remain vigilant, avoid downloading apps from unverified sources, and scan their devices regularly for signs of infection.