S0328: Stealth Mango
Stealth Mango is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as Tangelo is believed to be from the same developer. [1]
Analyst context for executives and security teams
Stealth Mango matters because it represents Android malware focused on mobile collection, not just device nuisance. The supplied ATT&CK relationships point to behaviors that can expose conversations, location, contacts, SMS, call logs, calendar data, local files, installed apps, and network configuration. For executives and security leaders, the practical issue is whether high-risk mobile users—such as officials, executives, medical staff, military personnel, or incident responders—are governed, monitored, and supportable when a phone becomes a data collection point.
Executive priority
Prioritize this as a mobile privacy, sensitive-data, and operational-security risk. The business decision is not only whether endpoint controls exist on laptops, but whether mobile devices have enforceable app provenance, permission governance, update discipline, and incident response procedures. This object also supports audit and compliance discussions around protection of communications, personal data, location data, and regulated records stored or accessible on Android devices.
Technical view
ATT&CK lists Stealth Mango as Android malware with no official detection text and no tactics specified. Defensive validation should therefore be relationship-driven: confirm visibility for Android app inventory, suspicious permission combinations, access to SMS/call log/contacts/calendar providers, microphone/camera/location use, local data access, network configuration discovery, and out-of-band channels such as SMS, Bluetooth, NFC, or push-notification-derived content where available. Treat drive-by compromise and software supply-chain compromise relationships as prompts to validate browser/update hygiene and app source integrity, not as proof of a specific delivery path in the local environment.
Likely telemetry
- Android MDM/EMM inventory: installed applications, package names, signing/provenance data, app version, sideload status, and update source
- Android permission grants and runtime permission changes for microphone, camera, location, SMS, contacts, calendar, call log, and local storage
- Mobile security or device logs showing app behavior, sensitive API access, default SMS handler changes, and background location requests
- SMS metadata and mobile carrier/MDM-visible messaging indicators where legally and technically available
- Network telemetry from managed mobile devices, including connections over Wi-Fi or cellular and signs of unusual out-of-band communication paths
Detection direction
- Because MITRE provides no official detection guidance for S0328, start by mapping coverage to the related techniques rather than relying on a single malware signature.
- Tune for risky combinations: untrusted or newly installed Android apps requesting SMS, contacts, call log, calendar, microphone, camera, location, and storage permissions together.
- Validate whether the SOC can see sensitive Android content-provider access and permission changes; many environments only collect inventory and miss behavioral evidence.
- Account for false positives: navigation, messaging, conferencing, health, and productivity apps may legitimately request sensitive permissions, so detections need app reputation, business role, source, and user context.
- For supply-chain and drive-by relationships, validate app provenance, signing consistency, update channels, and browser exposure, but do not assume a delivery method without local evidence.
Mitigation priorities
- Define which Android devices and user groups are in scope for managed mobile security, especially high-risk personnel and roles handling sensitive communications or regulated data.
- Restrict sideloading and enforce approved application sources, app reputation review, and update integrity checks where management controls allow.
- Apply least-privilege permission governance for microphone, camera, location, SMS, contacts, calendar, call log, and local storage access.
- Maintain Android OS, browser, and application update hygiene to reduce exposure to drive-by compromise paths described by ATT&CK.
- Use mobile device management and mobile threat detection capabilities to produce evidence for SOC monitoring, incident response, and compliance reporting.
Analyst notes and limits
The strongest decision value from this object is the breadth of mobile data collection behaviors associated through ATT&CK relationships. For Glexia-style assessment, Stealth Mango is a useful test case for whether mobile security is integrated into identity, SOC, IR, privacy, and compliance workflows rather than treated as a separate device-management problem.
The supplied ATT&CK object has no official detection text, no listed tactics, no aliases, and only Android as the platform for Stealth Mango. The description says the malware has reportedly been used against several categories of people, but the supplied fields do not support claims about current activity, attribution, customer exposure, or guaranteed detection. Local device management, telemetry availability, legal constraints, and mobile OS configuration will determine practical coverage.
Stealth Mango
Stealth Mango is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as Tangelo is believed to be from the same developer. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1512 | Video Capture | Stealth Mango can record and take pictures using the front and back cameras.CitationLookout-StealthMango |
| Mobile | T1429 | Audio Capture | Stealth Mango can record audio using the device microphone.CitationLookout-StealthMango |
| Mobile | T1636.002 | Call Log Sub-technique | Stealth Mango uploads call logs.CitationLookout-StealthMango |
| Mobile | T1582 | SMS Control | Stealth Mango deletes incoming SMS messages from specified numbers, including those that contain particular strings.CitationLookout-StealthMango |
| Mobile | T1644 | Out of Band Data | Stealth Mango uses commands received from text messages for C2.CitationLookout-StealthMango |
| Mobile | T1636.001 | Calendar Entries Sub-technique | Stealth Mango uploads calendar events and reminders.CitationLookout-StealthMango |
| Mobile | T1474.003 | Compromise Software Supply Chain Sub-technique | In at least one case, Stealth Mango may have been installed using physical access to the device by a repair shop.CitationLookout-StealthMango |
| Mobile | T1636.003 | Contact List Sub-technique | Stealth Mango uploads contact lists for various third-party applications such as Yahoo, AIM, GoogleTalk, Skype, QQ, and others.CitationLookout-StealthMango |
| Mobile | T1422 | System Network Configuration Discovery | Stealth Mango collects and uploads information about changes in SIM card or phone numbers on the device.CitationLookout-StealthMango |
| Mobile | T1418 | Software Discovery | Stealth Mango uploads information about installed packages.CitationLookout-StealthMango |
| Mobile | T1430 | Location Tracking | Stealth Mango can perform GPS location tracking as well as capturing coordinates as when an SMS message or call is received.CitationLookout-StealthMango |
| Mobile | T1456 | Drive-By Compromise | Stealth Mango is delivered via a a watering hole website that mimics the third-party Android app store APKMonk. In at least one case, the watering hole URL was distributed through Facebook Messenger.CitationLookout-StealthMango |
| Mobile | T1533 | Data from Local System | Stealth Mango collected and exfiltrated data from the device, including sensitive letters/documents, stored photos, and stored audio files.CitationLookout-StealthMango |
| Mobile | T1636.004 | SMS Messages Sub-technique | Stealth Mango uploads SMS messages.CitationLookout-StealthMango |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | c731e1949b6b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Lookout-StealthMango
Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.
Open source URL -
[2]
Stealth Mango
(Citation: Lookout-StealthMango)
-
[3]
mitre-attack S0328Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.