Stealth Mango

Stealth Mango is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as Tangelo is believed to be from the same developer. [1]

ID: S0328
Platforms: Android
Version: 1.3
Created: 17 October 2018
Last Modified: 24 October 2022

Techniques Used

Domain ID Name Use
Mobile T1429 Audio Capture

Stealth Mango can record audio using the device microphone.[1]

Mobile T1533 Data from Local System

Stealth Mango collected and exfiltrated data from the device, including sensitive letters/documents, stored photos, and stored audio files.[1]

Mobile T1456 Drive-By Compromise

Stealth Mango is delivered via a a watering hole website that mimics the third-party Android app store APKMonk. In at least one case, the watering hole URL was distributed through Facebook Messenger.[1]

Mobile T1430 Location Tracking

Stealth Mango can perform GPS location tracking as well as capturing coordinates as when an SMS message or call is received.[1]

Mobile T1644 Out of Band Data

Stealth Mango uses commands received from text messages for C2.[1]

Mobile T1636 .001 Protected User Data: Calendar Entries

Stealth Mango uploads calendar events and reminders.[1]

.002 Protected User Data: Call Log

Stealth Mango uploads call logs.[1]

.003 Protected User Data: Contact List

Stealth Mango uploads contact lists for various third-party applications such as Yahoo, AIM, GoogleTalk, Skype, QQ, and others.[1]

.004 Protected User Data: SMS Messages

Stealth Mango uploads SMS messages.[1]

Mobile T1582 SMS Control

Stealth Mango deletes incoming SMS messages from specified numbers, including those that contain particular strings.[1]

Mobile T1418 Software Discovery

Stealth Mango uploads information about installed packages.[1]

Mobile T1474 .003 Supply Chain Compromise: Compromise Software Supply Chain

In at least one case, Stealth Mango may have been installed using physical access to the device by a repair shop.[1]

Mobile T1422 System Network Configuration Discovery

Stealth Mango collects and uploads information about changes in SIM card or phone numbers on the device.[1]

Mobile T1512 Video Capture

Stealth Mango can record and take pictures using the front and back cameras.[1]