Stealth Mango and Tangelo targets government officials in Middle East, India and Afghanistan in new phishing espionage campaign
A new set of custom Android and iOS surveillanceware tools namely StealthMango and Tangelo have been discovered targeting government officials, medical professionals and civilians in the Middle East, Afghanistan and India. Lookout Security Intelligence researchers believe these tools are part of a sophisticated, highly targeted intelligence-gathering campaign believed to be operated by members of the Pakistani military.
“To date, we have observed Stealth Mango being deployed against victims in Pakistan, Afghanistan, India, Iraq, Iran, and the United Arab Emirates,” Lookout researchers said in a report. “The surveillanceware also retrieved sensitive data from individuals and groups in the United States, Australia, and the United Kingdom. These individuals and groups were not themselves targeted, but interacted with individuals whose devices had been compromised by Stealth Mango or Tangelo.”
Researchers believe the threat actor behind Stealth Mango is likely behind Op C Major and Transparent Tribe that targeted Indian embassies in Saudi Arabia and Kazakhstan and the Indian military.
“We have also identified, as part of this investigation, several individuals who we believe are responsible for the development of other commodity Android and iOS spyware tools that share many similarities to Stealth Mango and Tangelo,” researchers noted. “These individuals all belong to the same freelance developer group for hire, which says it has a physical presence in India, Pakistan, and the United States.”
Stealth Mango is distributed via phishing links through third-party app stores and possible physical access to targeted devices. One watering hole used to distribute the malware masquerades as the third-party Android app store APKMonk and instead leads to the Stealth Mango APK. In one case, the watering hole URL was distributed via Facebook Messenger with the attackers using fake personas to lure victims and dupe them into downloading the malware.
Once the targeted device is infected with the malware, it uploads all device data such as installed device information, SIM card change, contact list and any multimedia stores on the device
According to Lookout, the campaign has been running since April 2018. Researchers have identified over 15GB of exfiltrated data on command and control servers including text messages, contact details, package info, geolocation data, audio recordings, photos, and videos from both victim and test devices. Some of the comprised personal content and sensitive information include internal government communications, pictures of government documents including IDs and passports, legal and medical documents, developer information such as whiteboard sessions and account data and even photos of the military, government and related officials from closed door meetings including US Army personnel.
Although Stealth Mango primarily targets Android users, researchers have discovered evidence of an iOS version as well for jailbroken devices.
Researchers have alerted Google about the existence of Stealth Mango. The company stated:
“Google identified the apps associated with this actor, none of the apps were on the Google Play Store. “Google Play Protect has been updated to protect user devices from these apps and is in the process of removing them from all affected devices.”
Researchers say the newly uncovered campaign highlight the growing trend in which threat actors are developing in-house custom surveillanceware.
“The actor behind Stealth Mango has stolen a significant amount of sensitive data from compromised devices without the need to resort to exploits of any kind,” researchers said. “The actors that are developing this surveillanceware are also setting up their own command and control infrastructure and in some cases encountering some operational security missteps, enabling researchers to discover who the targets are and details about the actors operating it that otherwise are not as easily obtained.”