Stealth Mango

Stealth Mango is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as Tangelo is believed to be from the same developer. [1]

ID: S0328
Platforms: Android

Version: 1.1

Techniques Used

MobileT1435Access Calendar EntriesStealth Mango uploads calendar events and reminders.[1]
MobileT1433Access Call LogStealth Mango uploads call logs.[1]
MobileT1432Access Contact ListStealth Mango uploads contact lists for various third-party applications such as Yahoo, AIM, GoogleTalk, Skype, QQ, and others.[1]
MobileT1409Access Sensitive Data or Credentials in FilesStealth Mango exfiltrated data, including sensitive letters/documents, stored photos, and stored audio files.[1]
MobileT1438Alternate Network MediumsStealth Mango uses commands received from text messages for C2.[1]
MobileT1418Application DiscoveryStealth Mango uploads information about installed packages.[1]
MobileT1412Capture SMS MessagesStealth Mango uploads SMS logs and deletes incoming messages from specified numbers, including those that contain particular strings.[1]
MobileT1456Drive-by CompromiseStealth Mango is delivered via a a watering hole website that mimics the third-party Android app store APKMonk. In at least one case, the watering hole URL was distributed through Facebook Messenger.[1]
MobileT1430Location TrackingStealth Mango can perform GPS location tracking as well as capturing coordinates as when an SMS message or call is received.[1]
MobileT1429Microphone or Camera RecordingsStealth Mango can record from the camera or microphone as well as take photos from the front and back cameras.[1]
MobileT1474Supply Chain CompromiseStealth Mango in at least one case may have been installed using physical access to the device by a repair shop.[1]
MobileT1422System Network Configuration DiscoveryStealth Mango uploads information about changes in SIM card or phone numbers on the device.[1]