Stealth Mango
Stealth Mango is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as Tangelo is believed to be from the same developer. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1429 | Audio Capture |
Stealth Mango can record audio using the device microphone.[1] |
|
| Mobile | T1533 | Data from Local System |
Stealth Mango collected and exfiltrated data from the device, including sensitive letters/documents, stored photos, and stored audio files.[1] |
|
| Mobile | T1456 | Drive-By Compromise |
Stealth Mango is delivered via a a watering hole website that mimics the third-party Android app store APKMonk. In at least one case, the watering hole URL was distributed through Facebook Messenger.[1] |
|
| Mobile | T1430 | Location Tracking |
Stealth Mango can perform GPS location tracking as well as capturing coordinates as when an SMS message or call is received.[1] |
|
| Mobile | T1644 | Out of Band Data |
Stealth Mango uses commands received from text messages for C2.[1] |
|
| Mobile | T1636 | .001 | Protected User Data: Calendar Entries |
Stealth Mango uploads calendar events and reminders.[1] |
| .002 | Protected User Data: Call Log |
Stealth Mango uploads call logs.[1] |
||
| .003 | Protected User Data: Contact List |
Stealth Mango uploads contact lists for various third-party applications such as Yahoo, AIM, GoogleTalk, Skype, QQ, and others.[1] |
||
| .004 | Protected User Data: SMS Messages |
Stealth Mango uploads SMS messages.[1] |
||
| Mobile | T1582 | SMS Control |
Stealth Mango deletes incoming SMS messages from specified numbers, including those that contain particular strings.[1] |
|
| Mobile | T1418 | Software Discovery |
Stealth Mango uploads information about installed packages.[1] |
|
| Mobile | T1474 | .003 | Supply Chain Compromise: Compromise Software Supply Chain |
In at least one case, Stealth Mango may have been installed using physical access to the device by a repair shop.[1] |
| Mobile | T1422 | System Network Configuration Discovery |
Stealth Mango collects and uploads information about changes in SIM card or phone numbers on the device.[1] |
|
| Mobile | T1512 | Video Capture |
Stealth Mango can record and take pictures using the front and back cameras.[1] |
|