Researchers have discovered a phishing campaign that infected Android devices with custom surveillance-ware bent on extracting data from top officials, primarily in the Middle East.
Researchers at Lookout Security told Threatpost that the tool, dubbed Stealth Mango, has been used to collect over 30 gigabytes of compromised data on attacker infrastructure, including call records, audio recordings, device location information and text messages.
“These tools have been part of a highly targeted intelligence gathering campaign we believe is operated by members of the Pakistani military,” Lookout researchers said in a report. “Our investigation indicates this actor has used these surveillance-ware tools to successfully compromise the mobile devices of government officials, members of the military, medical professionals and civilians.”
Once a device is infected with Stealth Mango, the malware initially uploads all data from an infected device and then tracks all changes that occur as soon as they happen. This includes installed device information, changes in SIM cards on the device, pictures and audio stored on the device and contact lists.
Stealth Mango has been evolving over the months; in February 2018, for instance, the tool also showed functionality like key-logging, screenshot captures and screen-record functionality; the ability to track victims in real time; and the ability to access the message databases of third-party social media applications.
Lookout told Threatpost that a “ballpark figure” of around 100 unique devices were impacted by the targeted surveillance operations, including those of government officials, members of the military, and activists in Pakistan, Afghanistan, India, Iraq and the United Arab Emirates. Data of officials from other countries, like the U.S. and Germany, have also been swept up in the campaign.
Lookout said it believes the threat actor behind Stealth Mango is also behind the Operation Transparent Tribe and Operation C-Major campaigns, which targeted Indian embassies in Saudi Arabia and Kazakhstan, as well as the Indian military.
Attack Vector
Lookout researchers believe that attackers infected devices with Stealth Mango using both phishing techniques as well as at least one watering hole used to distribute the malware.
The watering hole URL was first sent to targets, often via Facebook Messenger. This suggests the “the attackers are using fake personas to connect with their targets and coerce them into installing the malware onto their devices,” researchers said.
Once they clicked on the URL, victims were taken to the watering hole, which purports to be the third-party Android App store known as APKMonk (secure-apps.azurewebsites[.]net). However, when victims clicked on any link on the site, they would re-direct to the Stealth Mango APK.
Lookout said they initiated a takedown with Microsoft of this particular watering hole, and the account was ultimately suspended.
Researchers also found that these threat actors are using multi-platform capabilities with several custom tools; and while most of the research focused on the Stealth Mango Android component, there is also evidence of an iOS tool believed to be a variant of Tangelo, being developed as well.
Researchers said that that the two tools appear to have been created by the same developer group, but it’s unclear if the iOS component is still in a trial phase, or if it is being used in active campaigns as well.
“There’s likely an iOS piece being used alongside Stealth Mango and communicating to the same infrastructure, but we haven’t found that piece in the wild at this time… and we’re not sure how it’s being deployed,” said Michael Flossman, head of threat intelligence at Lookout, in an interview. “However, given the existence of Tangelo on a different server we’re pretty sure the variation of that is being used by these guys.”
Threat Actor
Lookout linked the tools to freelance software developers with ties to the Pakistani military, with physical presences in Pakistan, India and the United States.
“Further analysis of server-side logs on attacker infrastructure showed three IPs that geolocate to a specific area of the G-8 area in Islamabad, Pakistan,” Lookout’s report detailed.
“This is another nation-state based actor that is using commodity tooling without resorting to any sort of zero-day or exploit, and getting a lot of value from that model,” added Andrew Blaich, head of device intelligence at Lookout, told Threatpost. “It shows there’s a lot of variants in terms of the surveillance-ware out there and you can get a lot of stuff done without utilizing exploits.”
There were a couple of surprises in the threat actor’s approach as well.
When looking at the threat actor’s infrastructure, which used two IP addresses, “we were surprised to find how wide open the server was,” Flossman told Threatpost. “This actor focused very much on setting up the remote infrastructure without securing it…As a result, exfiltrated data was publicly accessible.”
In another surprise to researchers, Flossman added that they found the infrastructure running the WSO web shell, which provides a third party with complete control over the server.
Researchers said it’s unclear when the campaign was first deployed, but they first came across it in mid-January 2018. The latest release of Stealth Mango was as recently as April 2018.
“At the moment, the infrastructure behind these operations appears to be down, but we don’t expect them to disappear… we expect them to surface again with other mobile components,” said Flossman.