{ "id": "8b1807f9-0bf3-41a9-bf98-698b5073b49e", "created_at": "2026-04-06T00:06:20.594537Z", "updated_at": "2026-04-10T03:34:16.017982Z", "deleted_at": null, "sha1_hash": "217c1c9c9845ee6820e939fde18f80c7d61493a9", "title": "Stealth Mango and Tangelo | Surveillanceware Stealing Data", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3600153, "plain_text": "Stealth Mango and Tangelo | Surveillanceware Stealing Data\r\nBy Lookout\r\nPublished: 2018-05-18 · Archived: 2026-04-02 11:11:09 UTC\r\nhttps://www.lookout.com/blog/stealth-mango\r\nPage 1 of 7\n\nLookout Security Intelligence has discovered Android and iOS surveillanceware tools targeting government\r\nofficials, diplomats, military personnel, and activists, specifically in Pakistan, Afghanistan, India, Iraq, and the\r\nUAE. Additionally, data from U.S., Australian, and German officials and military have been swept up in the\r\ncampaign we believe is being run by members in the Pakistani military. \r\nWe're calling these surveillanceware families Stealth Mango (Android) and Tangelo (iOS). \r\nGPS coordinates pulled from the EXIF data of exfiltrated images is centered around Pakistan,\r\nAfghanistan, India, and the United Arab Emirates.\r\nhttps://www.lookout.com/blog/stealth-mango\r\nPage 2 of 7\n\nThe Lookout Security Intelligence team alerted Google to the existence of Stealth Mango during our investigation.\r\nThe company states: \"Google identified the apps associated with this actor, none of the apps were on the Google\r\nPlay Store. Google Play Protect has been updated to protect user devices from these apps and is in the process of\r\nremoving them from all affected devices.\"\r\nPhishing and distribution\r\nPhishing message sent through Facebook Messenger. \r\nThe actors behind Stealth Mango typically lure victims via phishing messages sent by fake Facebook personas,\r\nbut in some cases may have used physical access to victims' devices. As was the case with previous actors we've\r\nhttps://www.lookout.com/blog/stealth-mango\r\nPage 3 of 7\n\nreported on, such as Dark Caracal, the actor behind Stealth Mango has stolen a significant amount of sensitive\r\ndata from compromised devices without the need to resort to exploits of any kind.\r\nExfiltrated content\r\nThe majority of this content we analyzed has information that would be of great interest to a nation state actor.\r\nThis includes:\r\nLetters and internal government communications\r\nDetailed travel information\r\nPictures of IDs and passports\r\nGPS coordinates of pictures and devices\r\nLegal and medical documents\r\nDeveloper information including whiteboard sessions, account information, and test devices\r\nPhotos of the military, government, and related officials from closed door meetings including U.S. Army\r\npersonnel\r\nDetails around travel in and around Pakistan from Australian diplomats.\r\nhttps://www.lookout.com/blog/stealth-mango\r\nPage 4 of 7\n\nExfiltrated content was found to contain military photos including a series of images from an event\r\nwith military attendees from numerous countries including U.S. Army personnel.\r\nAttacker personas\r\nWe have also identified, as part of this investigation, several individuals who we believe are responsible for the\r\ndevelopment of other commodity Android and iOS spyware tools that share many similarities to Stealth Mango\r\nand Tangelo. These individuals all belong to the same freelance developer group for hire, which says it has a\r\nphysical presence in India, Pakistan, and the United States.        \r\nAuthors\r\nhttps://www.lookout.com/blog/stealth-mango\r\nPage 5 of 7\n\nAndrew Blaich\r\nHead of Device Intelligence\r\nAndrew Blaich is Head of Device Intelligence at Lookout where he is focused on mobile threat hunting and\r\nvulnerability research. Prior to Lookout, Andrew was the Lead Security Analyst at Bluebox Security. He holds a\r\nPh.D. in computer science, and engineering from the University of Notre Dame in enterprise security and wireless\r\nnetworking. In the past Andrew has worked at both Samsung and Qualcomm Research. Andrew is a regular\r\npresenter at security conferences including BlackHat, RSA, Kaspersky SAS, SecTor, SANS DFIR, Interop, and\r\nACSC. In his free time he loves to run and hack on IoT.\r\nMichael Flossman\r\nHead of Threat Intelligence\r\nMichael is Head of Threat Intelligence at Lookout where he works on reverse engineering sophisticated mobile\r\nthreats while tracking their evolution, the campaigns they are used in, and the actors behind them. He has hands-on experience in vulnerability research, incident response, security assessments, pen-testing, reverse engineering\r\nand the prototyping of automated analysis solutions. When not analysing malware there’s a good chance he’s off\r\nsnowboarding, diving, or looking for flaws in popular mobile apps.\r\nhttps://www.lookout.com/blog/stealth-mango\r\nPage 6 of 7\n\nStop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.\r\nSource: https://www.lookout.com/blog/stealth-mango\r\nhttps://www.lookout.com/blog/stealth-mango\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.lookout.com/blog/stealth-mango" ], "report_names": [ "stealth-mango" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "8de10e16-817c-4907-bd98-b64cf4a3e77b", "created_at": "2022-10-25T15:50:23.552766Z", "updated_at": "2026-04-10T02:00:05.362919Z", "deleted_at": null, "main_name": "Dark Caracal", "aliases": [ "Dark Caracal" ], "source_name": "MITRE:Dark Caracal", "tools": [ "FinFisher", "CrossRAT", "Bandook" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "4a62c0be-1583-4d82-8f91-46e3a1c114e6", "created_at": "2023-01-06T13:46:38.73639Z", "updated_at": "2026-04-10T02:00:03.083265Z", "deleted_at": null, "main_name": "Dark Caracal", "aliases": [ "G0070" ], "source_name": "MISPGALAXY:Dark Caracal", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70e88fa9-d833-4d8c-be5b-cc39bcdb499a", "created_at": "2023-01-06T13:46:38.796488Z", "updated_at": "2026-04-10T02:00:03.103974Z", "deleted_at": null, "main_name": "Stealth Mango and Tangelo", "aliases": [], "source_name": "MISPGALAXY:Stealth Mango and Tangelo", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "af704c54-a580-4c29-95f2-82db06fbb6f9", "created_at": "2022-10-25T16:07:23.525064Z", "updated_at": "2026-04-10T02:00:04.64019Z", "deleted_at": null, "main_name": "Dark Caracal", "aliases": [ "ATK 27", "G0070", "Operation Dark Caracal", "TAG-CT3" ], "source_name": "ETDA:Dark Caracal", "tools": [ "Bandok", "Bandook", "CrossRAT", "FinFisher", "FinFisher RAT", "FinSpy", "Pallas", "Trupto" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433980, "ts_updated_at": 1775792056, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/217c1c9c9845ee6820e939fde18f80c7d61493a9.pdf", "text": "https://archive.orkl.eu/217c1c9c9845ee6820e939fde18f80c7d61493a9.txt", "img": "https://archive.orkl.eu/217c1c9c9845ee6820e939fde18f80c7d61493a9.jpg" } }