Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0329: Tangelo

Tangelo is iOS malware that is believed to be from the same developers as the Stealth Mango Android malware. It is not a mobile application, but rather a Debian package that can only run on jailbroken iOS devices. [1]

MobileS0329MalwareObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Tangelo matters because it represents iOS malware intended for jailbroken devices, where normal iOS security boundaries are weakened. The ATT&CK relationships point to collection-heavy behavior: stored app data, local files, call logs, SMS messages, audio, location, and network configuration details. For leaders, the practical issue is not broad iOS malware coverage in general, but whether the organization can identify jailbroken or non-compliant mobile devices before they become a source of sensitive data loss, privacy exposure, or incident uncertainty.

Executive priority

Prioritize this as a mobile device governance and sensitive-data exposure problem. The supplied ATT&CK data ties Tangelo to iOS and to behaviors that can expose communications, location, application data, and local system data. Executives should ask whether corporate access from jailbroken iOS devices is blocked or strongly controlled, whether mobile compliance evidence is available for audits, and whether incident response can quickly determine what mobile data may have been exposed if a device is compromised.

Technical view

Tangelo is described as a Debian package, not a normal mobile application, and can only run on jailbroken iOS devices. SOC, IR, and mobile security teams should validate controls and telemetry around jailbreak detection, unauthorized package presence, abnormal access to local application data, call/SMS stores, microphone use, location access, and discovery of device network configuration. ATT&CK provides no official detection text for this object, so detection engineering should be based on the related techniques and local mobile management visibility rather than a claimed signature-level analytic.

Likely telemetry

  • Mobile device management or enterprise mobility management compliance state, especially jailbreak status
  • Inventory or forensic evidence of Debian packages or non-standard software on iOS devices
  • Mobile security alerts for jailbroken devices or suspicious local data access
  • Device logs or forensic artifacts showing access to application data, local files, SMS data, call logs, microphone, or location data where available
  • Network telemetry associated with managed mobile devices, including device IP information and unusual communications from non-compliant devices

Detection direction

  • Validate that jailbroken iOS devices are detected, reported, and either blocked or escalated according to policy.
  • Because MITRE provides no official detection guidance for Tangelo, map detections to the related behaviors: Stored Application Data, System Network Configuration Discovery, Audio Capture, Location Tracking, Data from Local System, Call Log, and SMS Messages.
  • Tune triage to distinguish legitimate managed-device administration or user-approved mobile permissions from signs of jailbreak-enabled access to data that iOS normally protects.
  • Check for blind spots where mobile devices access corporate email, messaging, identity, or cloud services but are not covered by MDM, mobile threat defense, or compliance enforcement.
  • For incident response, preserve device state carefully; mobile telemetry may be sparse, and evidence may require forensic collection rather than standard endpoint logs.

Mitigation priorities

  • Enforce mobile access policies that restrict or block jailbroken iOS devices from corporate resources.
  • Maintain mobile device inventory and compliance reporting so security teams can identify non-compliant devices before an incident.
  • Limit sensitive enterprise data stored locally on mobile devices where feasible, and require strong identity and conditional access controls for mobile access.
  • Review application permission and data handling practices for enterprise mobile apps, especially around local storage, location, microphone, and messaging-related data.
  • Prepare mobile incident response procedures that include evidence collection, user communication, and decisions about credential reset or data exposure review when a jailbroken device is involved.
Analyst notes and limits

The most decision-relevant fact is that Tangelo is not described as a standard iOS app; it is a Debian package for jailbroken iOS devices. That makes jailbreak governance, conditional access, and mobile forensic readiness more important than conventional app-store allowlisting alone. The relationship set indicates collection and discovery behaviors that could affect privacy, communications confidentiality, and business-sensitive data on the device.

This take is limited to the supplied ATT&CK fields and relationships. ATT&CK lists no tactics and provides no official detection text for Tangelo. The source description says it is believed to be from the same developers as Stealth Mango, but this summary does not infer attribution or active exploitation. Local environment evidence is required to determine exposure, detection coverage, or whether any specific device is affected.

Official MITRE ATT&CK definition

Tangelo

Tangelo is iOS malware that is believed to be from the same developers as the Stealth Mango Android malware. It is not a mobile application, but rather a Debian package that can only run on jailbroken iOS devices. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

7 rows
Domain ID Name Relationship / procedure
Mobile T1636.004 SMS Messages Sub-technique

Tangelo contains functionality to gather SMS messages.CitationLookout-StealthMango
Mobile T1422 System Network Configuration Discovery

Tangelo contains functionality to gather cellular IDs.CitationLookout-StealthMango
Mobile T1636.002 Call Log Sub-technique

Tangelo contains functionality to gather call logs.CitationLookout-StealthMango
Mobile T1430 Location Tracking

Tangelo contains functionality to gather GPS coordinates.CitationLookout-StealthMango
Mobile T1409 Stored Application Data

Tangelo accesses databases from WhatsApp, Viber, Skype, and Line.CitationLookout-StealthMango
Mobile T1429 Audio Capture

Tangelo contains functionality to record calls as well as the victim device's environment.CitationLookout-StealthMango
Mobile T1533 Data from Local System

Tangelo accesses browser history, pictures, and videos.CitationLookout-StealthMango
Relationship explorer

All related ATT&CK context

uses · Technique T1636.004: SMS Messages Mobile uses · Technique T1422: System Network Configuration Discovery Mobile uses · Technique T1636.002: Call Log Mobile uses · Technique T1430: Location Tracking Mobile uses · Technique T1409: Stored Application Data Mobile uses · Technique T1429: Audio Capture Mobile uses · Technique T1533: Data from Local System Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
2e926b05b8d0f816...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 2e926b05b8d0…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Lookout-StealthMango

    Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.

    Open source URL
  2. [2]
    Tangelo

    (Citation: Lookout-StealthMango)

  3. [3]
    mitre-attack S0329
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use