The presentation discusses the capabilities and tactics of a malware called Stealth Mango, which is used for surveillance purposes. The malware is low sophistication but effective in gathering personal information from compromised devices.
- Stealth Mango is a malware used for surveillance purposes that is low sophistication but effective in gathering personal information from compromised devices.
- The malware can record screenshots, log keystrokes, and collect personal information such as contact data and associated information.
- The malware communicates over HTTP and sends device metadata, call history, and installed packages to the command and control infrastructure.
- The developers behind Stealth Mango attempted to hide the tool by appearing like legitimate applications and using common package names.
- The malware is capable of handling text messages out-of-band and can kick off specific functionality based on certain keywords.
- The developers behind Stealth Mango forked the One Spy and reused a lot of code, including dead code that doesn't make sense for surveillance purposes.
- The malware is effective due to the low sophistication of users and their willingness to grant permissions to apps.
- The presentation provides insight into the tactics and capabilities of Stealth Mango and the importance of being cautious with app permissions.
The developers behind Stealth Mango attempted to hide the tool by using common package names like 'com.update.system' and 'a app title that system'. This is effective because users may be hesitant to uninstall something that appears to be a system update or a legitimate app. This highlights the importance of being cautious with app permissions and thoroughly checking the names and sources of installed apps.
In this talk, we will unveil the new in-house capabilities of a nation state actor who has been observed deploying both Android and iOS surveillance tooling, known as Stealth Mango and Tangelo. The actor behind these offensive capabilities has successfully compromised the devices of government officials and military personnel in numerous countries with some directly impacting Western interests. Our research indicates this capability has been created by freelance developers who primarily release commodity spouse-ware but moonlight by selling their own custom surveillanceware to state actors. One such state actor has been observed deploying Stealth Mango and this presentation will unveil the depth and breadth of their campaigns, detailing not only how we watched them grow and develop, test, QA, and deploy their offensive tooling, but also how operation security mistakes ultimately led to their attribution.