WASHINGTON ― A highly targeted intelligence gathering campaign against U.S., Australian, British, and Pakistani diplomats and NATO members used surveillanceware tools for Android and iOS, according to a report released today by Lookout Mobile Security.
The company linked the Android and iOS tools, called Stealth Mango and Tangelo respectively, to a group of freelance software developers with ties to the Pakistani military. Those developers are also believed to be responsible for targeting Indian military and government officials.
Lookout discovered Stealth Mango and Tangelo had collected a wide variety of data from its victims. Among the information transmitted to the hackers’ servers were contacts lists, pictures and videos, call and text logs, and calendar events. More sensitive information such as the travel plans of Australian and German diplomats to Pakistan, a letter from U.S. Central Command to the Afghanistan assistant minister of defense for intelligence and photos of passports and diplomatic IDs from the Kandahar airport in Afghanistan.
Other data also suggests a smaller subset of victims were affected in India, Iraq, Iran, and the United Arab Emirates.
Lookout believes Stealth Mango infects targets through a mix of phishing links that send victims to a fake third-party app store and through physical access to victims’ devices. Data from infected devices is uploaded and tracked to a WSO 2.5 web shell software commonly used by hackers to maintain remote access to a server. Lookout was able to exploit the relative insecurity of the WSO to gain access to the exfiltrated data.
But how did the company narrow down the list of potential culprits to a group of freelance developers in Pakistan?
The first indicator was the code. During its investigation the company found multiple similarities to other spyware, like TheOneSpy, it has previously linked with the same freelance developer group in Pakistan.
The next piece of evidence was the dataset itself. The company identified a number of test devices from developers it associates with the freelance group. Among the data extracted from test devices was personal information of an individual Lookout believes to be the main developer.
After identifying the developer, the company noted his email address was used to register domains with spyware that shares many characteristics with Stealth Mango. From this analysis the group concludes “our working theory is that the main developer is a full-time app developer primarily focused on creating legitimate apps, but who is also moonlighting on the side. He is also part of a group of developers selling mobile surveillanceware.”
Additionally, the company geo-located several IP addresses that logged into the command and control server from the ministry of education building in Islamabad, Pakistan.
Although it is unclear when the surveillanceware was first deployed, Lookout notes the latest variant was released as recently as April 2018.
So how can officials steer clear of Stealth Mango and other spyware. Officials can protect themselves by practicing basic safe cyber behaviors like using unique passwords for different online accounts, protecting devices with security software, and thinking twice before clicking suspicious links are easy ways to protect oneself from cyber threats.