Back to Blog Home
Back to Blog
New
Lookout Threat Intelligence
Threat Intelligence

May 18, 2018

-
min read

Stealth Mango and Tangelo | Surveillanceware Stealing Data

Andrew Blaich
Andrew Blaich
Head of Device Intelligence
Michael Flossman
Michael Flossman
Head of Threat Intelligence
Man standing in government office looking at multiple displays.

Lookout Security Intelligence has discovered Android and iOS surveillanceware tools targeting government officials, diplomats, military personnel, and activists, specifically in Pakistan, Afghanistan, India, Iraq, and the UAE. Additionally, data from U.S., Australian, and German officials and military have been swept up in the campaign we believe is being run by members in the Pakistani military. 

We're calling these surveillanceware families Stealth Mango (Android) and Tangelo (iOS). 

GPS coordinates pulled from the EXIF data of exfiltrated images is centered around Pakistan, Afghanistan, India, and the United Arab Emirates.

The Lookout Security Intelligence team alerted Google to the existence of Stealth Mango during our investigation. The company states: "Google identified the apps associated with this actor, none of the apps were on the Google Play Store. Google Play Protect has been updated to protect user devices from these apps and is in the process of removing them from all affected devices."

Phishing and distribution

Phishing message sent through Facebook Messenger. 

 

The actors behind Stealth Mango typically lure victims via phishing messages sent by fake Facebook personas, but in some cases may have used physical access to victims' devices. As was the case with previous actors we've reported on, such as Dark Caracal, the actor behind Stealth Mango has stolen a significant amount of sensitive data from compromised devices without the need to resort to exploits of any kind.

Exfiltrated content

The majority of this content we analyzed has information that would be of great interest to a nation state actor. This includes:

  • Letters and internal government communications
  • Detailed travel information
  • Pictures of IDs and passports
  • GPS coordinates of pictures and devices
  • Legal and medical documents
  • Developer information including whiteboard sessions, account information, and test devices
  • Photos of the military, government, and related officials from closed door meetings including U.S. Army personnel

Details around travel in and around Pakistan from Australian diplomats.

Exfiltrated content was found to contain military photos including a series of images from an event with military attendees from numerous countries including U.S. Army personnel.

Attacker personas

We have also identified, as part of this investigation, several individuals who we believe are responsible for the development of other commodity Android and iOS spyware tools that share many similarities to Stealth Mango and Tangelo. These individuals all belong to the same freelance developer group for hire, which says it has a physical presence in India, Pakistan, and the United States. 

Get more in-depth details about Stealth Mango and Tangelo, the data collected, the actors behind this nation state surveillanceware, and a list of the indicators of compromise by downloading our technical report

           

       

No items found.
Tags
Phishing
Tags
Surveillanceware
Threat Discovery
Security Guidance
Collaboration
Zero Trust
Vulnerability
Shadow IT
Threat Hunting
Remote Work
Privacy & Online Safety
Ransomware
Malware
Phishing
Insider Threat
Human Resources
Compliance
Identity & Financial Protection
Device Security
Data Protection
Meet Privacy & Compliance Demand | Use Case Videos
Adopt the Cloud Faster | Use Case Videos
Accelerate Mergers & Acquisitions | Use Case Videos
Detect and Mitigate Cyber Threats | Use Case Videos
Promote Collaboration Securely | Use Case Videos
Secure Hybrid Work | Use Case Videos
Lookout Mobile Endpoint Security | Use Case Videos
Lookout Secure Internet Access | Use Case Videos
Lookout Secure Private Access | Use Case Videos
Lookout Secure Cloud Access | Use Case Videos
Lookout Cloud Security Platform | Use Case Videos
Partnerships
Slack
ServiceNow
Salesforce
KuppingerCole
SAP
Small Business
Retail
ESG
Vodafone
VMware
Verizon
State and Local Government
Pharmaceutical
Manufacturing
Microsoft
Lookout Foundation
Legal
IDC
Healthcare
Google
Gartner
Financial Services
Energy
Federal Government
Channel
Education
AT&T

Related Content

New
Lookout Threat Intelligence
Threat Intelligence

Protect Cloud Data in the Wake of the Pfizer Data Leak

We often associate breaches with corporate espionage and threat groups, but as the Pfizer IP leak incident showed, cloud connectivity has actually amplified security gaps.

Read More
Watch Now
New
Lookout Threat Intelligence
Threat Intelligence

Energy Industry Threat Report

The energy industry is a prime target for attacks as mobile threats like phishing and app encounter rate is higher than other industries. Discover what these threats mean.

Read More
Watch Now
New
Lookout Threat Intelligence
Threat Intelligence

Telework Exposed to Heightened Mobile Risk

Lookout data reveals that U.S. government organizations are exposed to hundreds of vulnerabilities from outdated operating systems and risky apps which steal credentials.

Read More
Watch Now