SlideShare a Scribd company logo

Stealth Mango and the Prevalence of Mobile Surveillanceware

Priyanka Aash
Priyanka Aash

In this talk, we will unveil the new in-house capabilities of a nation state actor who has been observed deploying both Android and iOS surveillance tooling, known as Stealth Mango and Tangelo. The actor behind these offensive capabilities has successfully compromised the devices of government officials and military personnel in numerous countries with some directly impacting Western interests. Our research indicates this capability has been created by freelance developers who primarily release commodity spouse-ware but moonlight by selling their own custom surveillanceware to state actors. One such state actor has been observed deploying Stealth Mango and this presentation will unveil the depth and breadth of their campaigns, detailing not only how we watched them grow and develop, test, QA, and deploy their offensive tooling, but also how operation security mistakes ultimately led to their attribution.

Technology
1 of 68
Download to read offline
Stealth Mango and The Prevalence of Mobile Surveillanceware BlackHat USA 2018 Las Vegas, Nevada
Who are we ? 2 Andrew Blaich Head of Device Intelligence at Lookout M ichael Flossman Head of Professional Services at Lookout You may remember us from research into: • Pegasus for iOS • Dark Caracal (Pallas) • Chrysaor • Desert Scorpion • Frozencell • xRAT • Titan
Agenda 1. Background 2. Stealth M ango 3. Infrastructure 4. Exfiltrated Data 5. Identities 6. Tangelo 7. Attack Vectors 3
Background Op C-Major and Transparent Tribe
Op C-Major / Transparent Tribe 5 Previously in Nation State activity • Targeted attacks primarily against members of the Indian military • Combination of windows and mobile malware • Long running, effective, but low sophistication • Social engineering March 2016
Op C-Major / Transparent Tribe 6 Previously in Nation State activity • Spear phishing targeting Indian embassies in Astana (KZ) and Riyadh (SA) • Watering hole • Indian military themed content • Links to malicious files E m a il s e n t to E m b a s s y in A s ta n a , K Z E m a il s e n t to E m b a s s y in R iy a d h , S A March 2016
Op C-Major / Transparent Tribe 7 Previously in Nation State activity • ‘It was able to get at least 16 gigabytes worth of data from 160 targets.’ • ‘…what caught our interest, apart from its highly targeted nature, is the lack of sophistication in the tools and tactics it used…’ • ‘…this targeted attack campaign is amateur at best, sloppy at worst…’ March 2016
Op C-Major / Transparent Tribe 8 Previously in Nation State activity • Front door left open for 4th party data collection • Testing on personal machines • Exfil contained Viber conversation with developer Sajid Iqbal. • Name and phone # linked to domains appstertech[.]com and guddyapps[.]com. • Another C2 linked to Faisal Hanif Im a g e fro m P ro o f P o in t’s T ra n s p a re n t T rib e re p o rt
Purveyors of Spouseware 9 Because “caring” means installing spyware on the devices of your loved ones <3 F a is a l H a n if M a n a g e r O p e ra tio n ‘F o u n d e r A n d M a n a g e r O p e ra tio n s W ith 2 0 + Y e a rs O f IT E x p e rie n c e .’ S a jid Iq b a l A p p lic a tio n A rc h ite c t ‘H e d o e s n o t b e lie v e in fu tu re , H e c re a te s h is o w n .’ ANDRORAT linked to APT activity zero ! given
Purveyors of Spouseware 10 Because caring means installing spyware on the devices of your loved ones <3 F a is a l H a n if M a n a g e r O p e ra tio n ‘F o u n d e r A n d M a n a g e r O p e ra tio n s W ith 2 0 + Y e a rs O f IT E x p e rie n c e .’ S a jid Iq b a l A p p lic a tio n A rc h ite c t ‘H e d o e s n o t b e lie v e in fu tu re , H e c re a te s h is o w n .’
What is next? 12 Always be developin. Stealth Mango Tangelo
Stealth Mango Android malware
Stealth Mango 14 Ask for permission, beg for nothing. • Record audio • Environment audio (hot mic) • Call recording • Record screen • Record the screen if WhatsApp is foregrounded • Track device location • Adjustable rate of tracking • Exfiltrate multimedia • Shared videos, images, and audio content from external storage • Device Information • Retrieve battery levels, wifi and gps status, storage and cellular carrier info • Enumerate Installed apps • Record keystrokes • Retrieve contacts and related data: • Contact photos • Google Talk, AIM, ICQ, Jabber, QQ, Skype, MSN, or Net meeting details • Email address • Phone numbers • Names • Receive instructions via text messages • Silently drop calls from blacklist • Delete text messages • Hide Icon App Capabilities
Exploits? 15 All the permissions • Phishing! • Exploits were not needed to run this effective surveillanceware campaign … although superuser’s nice. • Ask and the user will more than likely grant all the permissions the malware needs.
Stealth Mango 16 APK Implants Package Name App Name com.gbooking.googleupdater GoogleUpdater com.update.system System com.itelephone.dialer Dialer com.due.gplayer GPlayer com.maps.lgmaps gmaps com.booking.gvoice GVoice com.gsync Gsync com.play.pservies Pservies com.lgoogle.playupdate Playupdater com.gsearch.ichrome iChrome 42 known samples (as of May 10, 2018)
Stealth Mango 17 C2 Communication POST /admin/newuser.php HTTP/1.1 {"imei":"555244581248457","tag":"sf"} HTTP/1.1 200OK {"status":{"code":200,"message":"User already exist"},"response":{"settings":{"state":"1","dataSending":"1","sms":"1","voi ce":"1","cellid":"0","browserhistory":"1","pictures":"1","videos":"0","gpsInt erval":"1","recording":"0","numbers":[""],"videoTime":["2"],"audioTime":["1 0:00,14:00"],"camTime":[""]}}} POST /admin/data/collectdata-new.php HTTP/1.1 {"a":" 555244581248457", "b":[{"locationLattitude":"","locationLongitude":"","smsBody":"Hey what’s up?","smsRecipient":"+1556872663","smsStatus":"1","smsTime":"2018-02-09 01:15:29","smsType":"Sent","Id":1}, c":[{"callDirection":"Outgoing","callDuration":"1035082","callName":"2018-02-03 21:10:58 EST", "callNumber":"+1556872663", "callStartTime":"2018-02-03 21:10:58", "callStatus":"1","callerName":"","locationLattitude":"0.0", "locationLongitude":"0.0","Id":1}, "d":[],"e":[], "f":[{"installTime":"2018-02-20 16:34:50", "name":"GoogleUpdater", "packageName":"com.gbooking.googleupdater","status":"1","version":"1.0.0"}], "g":{"audioStorage":"0.00GB","batteryLevel":”42%","carrierName":"T- Mobile","deviceStorage” :"1.93GB / 1.94GB","deviceName":”Bebop", "isGpsOn":"true", "isWifiOn":"false","otherStorage":"0.01GB","photosStorage":"0.00GB","videosStorage":" 0.00GB","appVersion":"2","imei":" 555244581248457"}, "h":{"imsi":"311778431023993","cellNumber":"15556112203","Id":0}} HTTP/1.1 200OK {"status":{"code":<success | fail code>,"message":”< success | fail msg>"}}
Stealth Mango 18 C2 Communication ~80% commented out code
Stealth Mango & The One Spy 19 From Spouseware to Nation State Tooling Stealth Mango The One Spy
Stealth Mango & The One Spy 20 From Spouseware to Nation State Tooling Stealth Mango The One Spy
Stealth Mango & The One Spy 21 From Spouseware to Nation State Tooling
Ox-I-Gen / TheOneSpy 22 • Company based in Sydney, Australia • Developers based in Lahore, Pakistan • Developer’s reused parts of TheOneSpy code • Mango and Tangelo implants have related heuristics to known TheOneSpy samples
Infrastructure Where are they operating?
Infrastructure 25 Worldwide Cyber Infrastructure for Stealth Mango used two primary IP addresses. • The server itself (217.182.147[.]171) is hosted in France • The jump box to that server located in Canada (158.69.159[.]57). • Additional jump boxes were found within development APKs
26
27
WSO - Web Shell Access 28 ● The main server may have been compromised by a unknown third party. ● Possible to login unauthenticated simply by browsing to a specific URL. ● A user can also use it to connect to local MySQL databases, execute arbitrary PHP scripts, run various file operations, retrieve server details, and run console commands.
WSO - Web Shell Access (development box) 29 ● Additional WSO shells found on non-C2 infrastructure. ● Contains development web-apps and APKs for a variety of projects related to Appstertech, Mobilekare, mStealthAgent, etc. ● Developers may prefer to use WSO for their system administration…
Exfiltrated Data What did they get?
Exfiltrated Data 31 Over 30 GB of data from compromised devices Highlights: • Letters and internal government communications • Detailed travel information • Pictures of IDs and passports • GPS coordinates of pictures and devices • Legal and medical documents • Developer information including whiteboard sessions, account information, and test devices • Photos of military, government, and related officials from closed door meetings including U.S. Army personnel
Exfiltrated Data 33 • 30,000+ Images • 6000+ Call Recordings • 600+ Videos • Dozens of environment recordings
34 Targets Regional Based Infections
35 Communications
36
37 Travel Information
38 Military and Government
39
40
41
GPS Tracking 42
Airport Surveillance 43
Identities Who is behind it?
45 • Stealth Mango similarities to other commodity spyware families categorized as “spouseware.” • Research into the infrastructure behind these families has consistently linked back to several key individuals from: • Fi9tech, Appstertech, Vopium, Ox-i-Gen, super innovative Identities Associated Stealth Mango and Tangelo Developers
Identities 46 • These freelance developers produced a number of legitimate apps in the Google Play and the iOS App Stores. • They have also built their own surveillanceware and have purchased related domains throughout the years in attempts to monetize it: • mstealthagent[.]com • iphonespyingsoftware[.]org • iphonespyingapps[.]org • iphonespyingapps[.]info • Data exfil suggests the developers “dog-fooded” Stealth Mango and Tangelo on the phones of their family members and relatives.
Identities 47
Identities 48 mstealthagent[.]com
49 Identities
50 Operator Admin Logins to C2 Server from G-8 area in Islamabad, Pakistan
Tangelo iOS malware Debian Package; Jailbreak required
Tangelo 52 iOS Implant • Debian package • Discovered on developer infrastructure • Requires a jailbroken or compromised device • Collects • CR- Call Records • VD- Video • GL- Gallery/Images • SR- SurroundingRecordings • Collects SMSMessages • Collects GPSCoordinates • Collects Contact, Calendars, Call Logs • Data fromWhatsApp, Viber, Skype, andLine Bundle ID Team ID com.mobilekare.notifierrrr GUDCEEC5K9 ● Someheuristics similar toTheOneSpy ● Androidis theprimary toolingusedinthesecampaigns
53 Tangelo Teardown of com.mobilekare.notifierrrr_1.2_iphoneos-arm.deb
Tangelo 54
Tangelo 55 ● Package Installation Footprint: • /Applications/iNotifier.app • /Library/iNotifier.app • /Library/LaunchDaemons/com.mobilekare.notifierrrr.plist ● Runtime Installation Footprint: • /private/var/tmp/skp.xml • /private/var/tmp/CallHistory • /private/var/tmp/AddressBook.sqlitedb • /private/var/tmp/programer.plist • /private/var/tmp/iMyAudioMemo.ma4 • /private/var/tmp/image.jpg • /private/var/tmp/com.apple.mobile.installation.plist • /usr/libexec/iNotifier
56 Tangelo Under the hood
57 Tangelo AppsterTech Links
58 Tangelo Functionality to read all SMS data
59 Tangelo was found to be re-using malicious linked infrastructure in their legitimate iOS apps for non-malicious uses. hxxp://128.199.53[.]121/verify_server.php Tangelo Infrastructure Re-use
Attack Vectors
Infection Vectors 61 secure-apps.azurewebsites[.]net Phishing
62 Fake Facebook persona Phishing URL to Fake App Store
Facebook Personas 63
64
65 Infection Vectors Physical Access
Credential Phishing 66
Takedowns 67
Stealth Mango & Tangelo 68 Freelance developed, nation state deployed Android and iOS implants • Android - StealthMango aka StealthAgent • iOS - Tangelo • Development and surveillance was very active Targets • Primary - Activists, government officials, and members of the military in Pakistan, Afghanistan, India, Iraq, and the UAE • Secondary – inadvertent collection from victims in the United States, Australia, UK and elsewhere Threat Actor & Associated Developers • Freelance developers – linked to TheOneSpy • APT group or individual(s) believed to be a part of the Pakistani Military and previously linked to Operation C Major and Transparent Tribe.
69 References • Lookout full report: https://blog.lookout.com/stealth-mango • Amnesty full report: https://www.amnesty.org/en/latest/news/2018/05/pakistan-campaign-of-hacking- spyware-and-surveillance-targets-human-rights-defenders/ • Trend Micro: http://documents.trendmicro.com/assets/pdf/indian-military-personnel-targeted-by- information-theft-campaign-cmajor.pdf • Proof Point: https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe- threat-insight-en.pdf References
Contact Us Email: threatintel@lookout.com Andrew Blaich @ablaich Michael Flossman @terminalrift
Thank you! Questions? Note: All security research conducted by Lookout employees is performed according to the Computer Fraud and Abuse Act (CFAA) of 1986. As such, analysis of adversary infrastructure and the retrieval of any exposed data is limited to only that which is publicly accessible. Any sensitive information obtained during this process, such as usernames or passwords, is never used in any authentication-based situations where its use would grant access to services or systems.

Recommended

LASCON 2015
LASCON 2015LASCON 2015
LASCON 2015
Clare Nelson, CISSP, CIPP-E
 
Presentation1
Presentation1Presentation1
Presentation1
Abhishek Malhotra
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
drewz lin
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
drewz lin
 
OWASP AppSec USA 2015, San Francisco
OWASP AppSec USA 2015, San FranciscoOWASP AppSec USA 2015, San Francisco
OWASP AppSec USA 2015, San Francisco
Clare Nelson, CISSP, CIPP-E
 
CSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha KranjacCSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha Kranjac
NCCOMMS
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerDEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
Felipe Prado
 
Hacking and Cyber Security.
Hacking and Cyber Security.Hacking and Cyber Security.
Hacking and Cyber Security.
Kalpesh Doru
 

Recommended

LASCON 2015
LASCON 2015LASCON 2015
LASCON 2015
Clare Nelson, CISSP, CIPP-E
 
Presentation1
Presentation1Presentation1
Presentation1
Abhishek Malhotra
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
drewz lin
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
drewz lin
 
OWASP AppSec USA 2015, San Francisco
OWASP AppSec USA 2015, San FranciscoOWASP AppSec USA 2015, San Francisco
OWASP AppSec USA 2015, San Francisco
Clare Nelson, CISSP, CIPP-E
 
CSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha KranjacCSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha Kranjac
NCCOMMS
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerDEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
Felipe Prado
 
Hacking and Cyber Security.
Hacking and Cyber Security.Hacking and Cyber Security.
Hacking and Cyber Security.
Kalpesh Doru
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Andrew Morris
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitch
Yury Chemerkin
 
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
NCCOMMS
 
RFID Hacking: Live Free or RFID Hard
RFID Hacking: Live Free or RFID HardRFID Hacking: Live Free or RFID Hard
RFID Hacking: Live Free or RFID Hard
Bishop Fox
 
China Cyber
China CyberChina Cyber
China Cyber
Dominic Karunesudas
 
CYBER ATTACKS ON GEORGIAN GOVERNMENTAL RESOURCES - Zurab Akhvlediani
CYBER ATTACKS ON GEORGIAN GOVERNMENTAL RESOURCES - Zurab AkhvledianiCYBER ATTACKS ON GEORGIAN GOVERNMENTAL RESOURCES - Zurab Akhvlediani
CYBER ATTACKS ON GEORGIAN GOVERNMENTAL RESOURCES - Zurab Akhvlediani
DataExchangeAgency
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
frcarlson
 
Cyber-what?
Cyber-what?Cyber-what?
Cyber-what?
Enrique J Cordero
 
SecTor 2011 Keynote: Online Attacks and Espionage by Nation-states
SecTor 2011 Keynote: Online Attacks and Espionage by Nation-statesSecTor 2011 Keynote: Online Attacks and Espionage by Nation-states
SecTor 2011 Keynote: Online Attacks and Espionage by Nation-states
Mikko Hypponen
 
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Clare Nelson, CISSP, CIPP-E
 
20150604 nyt-cyber-surveillance-documents
20150604 nyt-cyber-surveillance-documents20150604 nyt-cyber-surveillance-documents
20150604 nyt-cyber-surveillance-documents
AnonDownload
 
Ceh v8 labs module 17 evading ids, firewalls and honeypots
Ceh v8 labs module 17 evading ids, firewalls and honeypotsCeh v8 labs module 17 evading ids, firewalls and honeypots
Ceh v8 labs module 17 evading ids, firewalls and honeypots
Mehrdad Jingoism
 
OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!
Nutan Kumar Panda
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
Hacks in Taiwan (HITCON)
 
Newsbytes_NULLHYD_Dec
Newsbytes_NULLHYD_DecNewsbytes_NULLHYD_Dec
Newsbytes_NULLHYD_Dec
Raghunath G
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp Forensic
Animesh Shaw
 
SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15
haney888
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Mender.io
 
Security News Bytes Null Dec Meet Bangalore
Security News Bytes Null Dec Meet BangaloreSecurity News Bytes Null Dec Meet Bangalore
Security News Bytes Null Dec Meet Bangalore
InMobi Technology
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threats
Zscaler
 

More Related Content

What's hot

Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Andrew Morris
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitch
Yury Chemerkin
 
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
NCCOMMS
 
RFID Hacking: Live Free or RFID Hard
RFID Hacking: Live Free or RFID HardRFID Hacking: Live Free or RFID Hard
RFID Hacking: Live Free or RFID Hard
Bishop Fox
 
China Cyber
China CyberChina Cyber
China Cyber
Dominic Karunesudas
 
CYBER ATTACKS ON GEORGIAN GOVERNMENTAL RESOURCES - Zurab Akhvlediani
CYBER ATTACKS ON GEORGIAN GOVERNMENTAL RESOURCES - Zurab AkhvledianiCYBER ATTACKS ON GEORGIAN GOVERNMENTAL RESOURCES - Zurab Akhvlediani
CYBER ATTACKS ON GEORGIAN GOVERNMENTAL RESOURCES - Zurab Akhvlediani
DataExchangeAgency
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
frcarlson
 
Cyber-what?
Cyber-what?Cyber-what?
Cyber-what?
Enrique J Cordero
 
SecTor 2011 Keynote: Online Attacks and Espionage by Nation-states
SecTor 2011 Keynote: Online Attacks and Espionage by Nation-statesSecTor 2011 Keynote: Online Attacks and Espionage by Nation-states
SecTor 2011 Keynote: Online Attacks and Espionage by Nation-states
Mikko Hypponen
 
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Clare Nelson, CISSP, CIPP-E
 
20150604 nyt-cyber-surveillance-documents
20150604 nyt-cyber-surveillance-documents20150604 nyt-cyber-surveillance-documents
20150604 nyt-cyber-surveillance-documents
AnonDownload
 
Ceh v8 labs module 17 evading ids, firewalls and honeypots
Ceh v8 labs module 17 evading ids, firewalls and honeypotsCeh v8 labs module 17 evading ids, firewalls and honeypots
Ceh v8 labs module 17 evading ids, firewalls and honeypots
Mehrdad Jingoism
 
OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!
Nutan Kumar Panda
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
Hacks in Taiwan (HITCON)
 
Newsbytes_NULLHYD_Dec
Newsbytes_NULLHYD_DecNewsbytes_NULLHYD_Dec
Newsbytes_NULLHYD_Dec
Raghunath G
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp Forensic
Animesh Shaw
 
SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15
haney888
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Mender.io
 

What's hot (20)

Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitch
 
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
 
RFID Hacking: Live Free or RFID Hard
RFID Hacking: Live Free or RFID HardRFID Hacking: Live Free or RFID Hard
RFID Hacking: Live Free or RFID Hard
 
China Cyber
China CyberChina Cyber
China Cyber
 
CYBER ATTACKS ON GEORGIAN GOVERNMENTAL RESOURCES - Zurab Akhvlediani
CYBER ATTACKS ON GEORGIAN GOVERNMENTAL RESOURCES - Zurab AkhvledianiCYBER ATTACKS ON GEORGIAN GOVERNMENTAL RESOURCES - Zurab Akhvlediani
CYBER ATTACKS ON GEORGIAN GOVERNMENTAL RESOURCES - Zurab Akhvlediani
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Cyber-what?
Cyber-what?Cyber-what?
Cyber-what?
 
SecTor 2011 Keynote: Online Attacks and Espionage by Nation-states
SecTor 2011 Keynote: Online Attacks and Espionage by Nation-statesSecTor 2011 Keynote: Online Attacks and Espionage by Nation-states
SecTor 2011 Keynote: Online Attacks and Espionage by Nation-states
 
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
 
20150604 nyt-cyber-surveillance-documents
20150604 nyt-cyber-surveillance-documents20150604 nyt-cyber-surveillance-documents
20150604 nyt-cyber-surveillance-documents
 
Ceh v8 labs module 17 evading ids, firewalls and honeypots
Ceh v8 labs module 17 evading ids, firewalls and honeypotsCeh v8 labs module 17 evading ids, firewalls and honeypots
Ceh v8 labs module 17 evading ids, firewalls and honeypots
 
OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
 
Newsbytes_NULLHYD_Dec
Newsbytes_NULLHYD_DecNewsbytes_NULLHYD_Dec
Newsbytes_NULLHYD_Dec
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp Forensic
 
SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
 

Similar to Stealth Mango and the Prevalence of Mobile Surveillanceware

Security News Bytes Null Dec Meet Bangalore
Security News Bytes Null Dec Meet BangaloreSecurity News Bytes Null Dec Meet Bangalore
Security News Bytes Null Dec Meet Bangalore
InMobi Technology
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threats
Zscaler
 
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Alisha Deboer
 
Digital investigations
Digital investigationsDigital investigations
Digital investigations
garrettdiscovery
 
InfoSec Deep Learning in Action
InfoSec Deep Learning in ActionInfoSec Deep Learning in Action
InfoSec Deep Learning in Action
Satnam Singh
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
HITCON GIRLS
 
Exfiltrating Data through IoT
Exfiltrating Data through IoTExfiltrating Data through IoT
Exfiltrating Data through IoT
Priyanka Aash
 
Cyber Forensics
Cyber Forensics Cyber Forensics
Cyber Forensics
Deepak Kumar (D3)
 
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in ActionBurning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Josh Sokol
 
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Cyphort
 
Infosecurity2013nl 131103184054-phpapp01
Infosecurity2013nl 131103184054-phpapp01Infosecurity2013nl 131103184054-phpapp01
Infosecurity2013nl 131103184054-phpapp01
Kenneth Carnesi, JD
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trump
MAXfocus
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoT
Vasco Veloso
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
Prathan Phongthiproek
 
Privacy is an Illusion and you’re all losers! - Cryptocow - Infosecurity 2013
Privacy is an Illusion and you’re all losers! - Cryptocow - Infosecurity 2013Privacy is an Illusion and you’re all losers! - Cryptocow - Infosecurity 2013
Privacy is an Illusion and you’re all losers! - Cryptocow - Infosecurity 2013
Cain Ransbottyn
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
John Bambenek
 
IoT Software Testing Challenges: The IoT World Is Really Different
IoT Software Testing Challenges: The IoT World Is Really DifferentIoT Software Testing Challenges: The IoT World Is Really Different
IoT Software Testing Challenges: The IoT World Is Really Different
TechWell
 
MobileMiner and NervousNet
MobileMiner and NervousNetMobileMiner and NervousNet
MobileMiner and NervousNet
kingsBSD
 
Hackers are innocent
Hackers are innocentHackers are innocent
Hackers are innocent
danish3
 
Forensic And Cloud Computing
Forensic And Cloud ComputingForensic And Cloud Computing
Forensic And Cloud Computing
Mitesh Katira
 

Similar to Stealth Mango and the Prevalence of Mobile Surveillanceware (20)

Security News Bytes Null Dec Meet Bangalore
Security News Bytes Null Dec Meet BangaloreSecurity News Bytes Null Dec Meet Bangalore
Security News Bytes Null Dec Meet Bangalore
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threats
 
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
 
Digital investigations
Digital investigationsDigital investigations
Digital investigations
 
InfoSec Deep Learning in Action
InfoSec Deep Learning in ActionInfoSec Deep Learning in Action
InfoSec Deep Learning in Action
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
 
Exfiltrating Data through IoT
Exfiltrating Data through IoTExfiltrating Data through IoT
Exfiltrating Data through IoT
 
Cyber Forensics
Cyber Forensics Cyber Forensics
Cyber Forensics
 
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in ActionBurning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in Action
 
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
 
Infosecurity2013nl 131103184054-phpapp01
Infosecurity2013nl 131103184054-phpapp01Infosecurity2013nl 131103184054-phpapp01
Infosecurity2013nl 131103184054-phpapp01
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trump
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoT
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
 
Privacy is an Illusion and you’re all losers! - Cryptocow - Infosecurity 2013
Privacy is an Illusion and you’re all losers! - Cryptocow - Infosecurity 2013Privacy is an Illusion and you’re all losers! - Cryptocow - Infosecurity 2013
Privacy is an Illusion and you’re all losers! - Cryptocow - Infosecurity 2013
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
 
IoT Software Testing Challenges: The IoT World Is Really Different
IoT Software Testing Challenges: The IoT World Is Really DifferentIoT Software Testing Challenges: The IoT World Is Really Different
IoT Software Testing Challenges: The IoT World Is Really Different
 
MobileMiner and NervousNet
MobileMiner and NervousNetMobileMiner and NervousNet
MobileMiner and NervousNet
 
Hackers are innocent
Hackers are innocentHackers are innocent
Hackers are innocent
 
Forensic And Cloud Computing
Forensic And Cloud ComputingForensic And Cloud Computing
Forensic And Cloud Computing
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
Priyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
Priyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
Priyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
Priyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
Priyanka Aash
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
Priyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Priyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
Priyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
Priyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
Priyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
Priyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
Priyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Priyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
Edge AI and Vision Alliance
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
saastr
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
marufrahmanstratejm
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Precisely
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 

Recently uploaded (20)

“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 

Stealth Mango and the Prevalence of Mobile Surveillanceware

  • 1. Stealth Mango and The Prevalence of Mobile Surveillanceware BlackHat USA 2018 Las Vegas, Nevada
  • 2. Who are we ? 2 Andrew Blaich Head of Device Intelligence at Lookout M ichael Flossman Head of Professional Services at Lookout You may remember us from research into: • Pegasus for iOS • Dark Caracal (Pallas) • Chrysaor • Desert Scorpion • Frozencell • xRAT • Titan
  • 3. Agenda 1. Background 2. Stealth M ango 3. Infrastructure 4. Exfiltrated Data 5. Identities 6. Tangelo 7. Attack Vectors 3
  • 4. Background Op C-Major and Transparent Tribe
  • 5. Op C-Major / Transparent Tribe 5 Previously in Nation State activity • Targeted attacks primarily against members of the Indian military • Combination of windows and mobile malware • Long running, effective, but low sophistication • Social engineering March 2016
  • 6. Op C-Major / Transparent Tribe 6 Previously in Nation State activity • Spear phishing targeting Indian embassies in Astana (KZ) and Riyadh (SA) • Watering hole • Indian military themed content • Links to malicious files E m a il s e n t to E m b a s s y in A s ta n a , K Z E m a il s e n t to E m b a s s y in R iy a d h , S A March 2016
  • 7. Op C-Major / Transparent Tribe 7 Previously in Nation State activity • ‘It was able to get at least 16 gigabytes worth of data from 160 targets.’ • ‘…what caught our interest, apart from its highly targeted nature, is the lack of sophistication in the tools and tactics it used…’ • ‘…this targeted attack campaign is amateur at best, sloppy at worst…’ March 2016
  • 8. Op C-Major / Transparent Tribe 8 Previously in Nation State activity • Front door left open for 4th party data collection • Testing on personal machines • Exfil contained Viber conversation with developer Sajid Iqbal. • Name and phone # linked to domains appstertech[.]com and guddyapps[.]com. • Another C2 linked to Faisal Hanif Im a g e fro m P ro o f P o in t’s T ra n s p a re n t T rib e re p o rt
  • 9. Purveyors of Spouseware 9 Because “caring” means installing spyware on the devices of your loved ones <3 F a is a l H a n if M a n a g e r O p e ra tio n ‘F o u n d e r A n d M a n a g e r O p e ra tio n s W ith 2 0 + Y e a rs O f IT E x p e rie n c e .’ S a jid Iq b a l A p p lic a tio n A rc h ite c t ‘H e d o e s n o t b e lie v e in fu tu re , H e c re a te s h is o w n .’ ANDRORAT linked to APT activity zero ! given
  • 10. Purveyors of Spouseware 10 Because caring means installing spyware on the devices of your loved ones <3 F a is a l H a n if M a n a g e r O p e ra tio n ‘F o u n d e r A n d M a n a g e r O p e ra tio n s W ith 2 0 + Y e a rs O f IT E x p e rie n c e .’ S a jid Iq b a l A p p lic a tio n A rc h ite c t ‘H e d o e s n o t b e lie v e in fu tu re , H e c re a te s h is o w n .’
  • 11. What is next? 12 Always be developin. Stealth Mango Tangelo
  • 13. Stealth Mango 14 Ask for permission, beg for nothing. • Record audio • Environment audio (hot mic) • Call recording • Record screen • Record the screen if WhatsApp is foregrounded • Track device location • Adjustable rate of tracking • Exfiltrate multimedia • Shared videos, images, and audio content from external storage • Device Information • Retrieve battery levels, wifi and gps status, storage and cellular carrier info • Enumerate Installed apps • Record keystrokes • Retrieve contacts and related data: • Contact photos • Google Talk, AIM, ICQ, Jabber, QQ, Skype, MSN, or Net meeting details • Email address • Phone numbers • Names • Receive instructions via text messages • Silently drop calls from blacklist • Delete text messages • Hide Icon App Capabilities
  • 14. Exploits? 15 All the permissions • Phishing! • Exploits were not needed to run this effective surveillanceware campaign … although superuser’s nice. • Ask and the user will more than likely grant all the permissions the malware needs.
  • 15. Stealth Mango 16 APK Implants Package Name App Name com.gbooking.googleupdater GoogleUpdater com.update.system System com.itelephone.dialer Dialer com.due.gplayer GPlayer com.maps.lgmaps gmaps com.booking.gvoice GVoice com.gsync Gsync com.play.pservies Pservies com.lgoogle.playupdate Playupdater com.gsearch.ichrome iChrome 42 known samples (as of May 10, 2018)
  • 16. Stealth Mango 17 C2 Communication POST /admin/newuser.php HTTP/1.1 {"imei":"555244581248457","tag":"sf"} HTTP/1.1 200OK {"status":{"code":200,"message":"User already exist"},"response":{"settings":{"state":"1","dataSending":"1","sms":"1","voi ce":"1","cellid":"0","browserhistory":"1","pictures":"1","videos":"0","gpsInt erval":"1","recording":"0","numbers":[""],"videoTime":["2"],"audioTime":["1 0:00,14:00"],"camTime":[""]}}} POST /admin/data/collectdata-new.php HTTP/1.1 {"a":" 555244581248457", "b":[{"locationLattitude":"","locationLongitude":"","smsBody":"Hey what’s up?","smsRecipient":"+1556872663","smsStatus":"1","smsTime":"2018-02-09 01:15:29","smsType":"Sent","Id":1}, c":[{"callDirection":"Outgoing","callDuration":"1035082","callName":"2018-02-03 21:10:58 EST", "callNumber":"+1556872663", "callStartTime":"2018-02-03 21:10:58", "callStatus":"1","callerName":"","locationLattitude":"0.0", "locationLongitude":"0.0","Id":1}, "d":[],"e":[], "f":[{"installTime":"2018-02-20 16:34:50", "name":"GoogleUpdater", "packageName":"com.gbooking.googleupdater","status":"1","version":"1.0.0"}], "g":{"audioStorage":"0.00GB","batteryLevel":”42%","carrierName":"T- Mobile","deviceStorage” :"1.93GB / 1.94GB","deviceName":”Bebop", "isGpsOn":"true", "isWifiOn":"false","otherStorage":"0.01GB","photosStorage":"0.00GB","videosStorage":" 0.00GB","appVersion":"2","imei":" 555244581248457"}, "h":{"imsi":"311778431023993","cellNumber":"15556112203","Id":0}} HTTP/1.1 200OK {"status":{"code":<success | fail code>,"message":”< success | fail msg>"}}
  • 18. Stealth Mango & The One Spy 19 From Spouseware to Nation State Tooling Stealth Mango The One Spy
  • 19. Stealth Mango & The One Spy 20 From Spouseware to Nation State Tooling Stealth Mango The One Spy
  • 20. Stealth Mango & The One Spy 21 From Spouseware to Nation State Tooling
  • 21. Ox-I-Gen / TheOneSpy 22 • Company based in Sydney, Australia • Developers based in Lahore, Pakistan • Developer’s reused parts of TheOneSpy code • Mango and Tangelo implants have related heuristics to known TheOneSpy samples
  • 23. Infrastructure 25 Worldwide Cyber Infrastructure for Stealth Mango used two primary IP addresses. • The server itself (217.182.147[.]171) is hosted in France • The jump box to that server located in Canada (158.69.159[.]57). • Additional jump boxes were found within development APKs
  • 24. 26
  • 25. 27
  • 26. WSO - Web Shell Access 28 ● The main server may have been compromised by a unknown third party. ● Possible to login unauthenticated simply by browsing to a specific URL. ● A user can also use it to connect to local MySQL databases, execute arbitrary PHP scripts, run various file operations, retrieve server details, and run console commands.
  • 27. WSO - Web Shell Access (development box) 29 ● Additional WSO shells found on non-C2 infrastructure. ● Contains development web-apps and APKs for a variety of projects related to Appstertech, Mobilekare, mStealthAgent, etc. ● Developers may prefer to use WSO for their system administration…
  • 29. Exfiltrated Data 31 Over 30 GB of data from compromised devices Highlights: • Letters and internal government communications • Detailed travel information • Pictures of IDs and passports • GPS coordinates of pictures and devices • Legal and medical documents • Developer information including whiteboard sessions, account information, and test devices • Photos of military, government, and related officials from closed door meetings including U.S. Army personnel
  • 30. Exfiltrated Data 33 • 30,000+ Images • 6000+ Call Recordings • 600+ Videos • Dozens of environment recordings
  • 33. 36
  • 36. 39
  • 37. 40
  • 38. 41
  • 42. 45 • Stealth Mango similarities to other commodity spyware families categorized as “spouseware.” • Research into the infrastructure behind these families has consistently linked back to several key individuals from: • Fi9tech, Appstertech, Vopium, Ox-i-Gen, super innovative Identities Associated Stealth Mango and Tangelo Developers
  • 43. Identities 46 • These freelance developers produced a number of legitimate apps in the Google Play and the iOS App Stores. • They have also built their own surveillanceware and have purchased related domains throughout the years in attempts to monetize it: • mstealthagent[.]com • iphonespyingsoftware[.]org • iphonespyingapps[.]org • iphonespyingapps[.]info • Data exfil suggests the developers “dog-fooded” Stealth Mango and Tangelo on the phones of their family members and relatives.
  • 47. 50 Operator Admin Logins to C2 Server from G-8 area in Islamabad, Pakistan
  • 49. Tangelo 52 iOS Implant • Debian package • Discovered on developer infrastructure • Requires a jailbroken or compromised device • Collects • CR- Call Records • VD- Video • GL- Gallery/Images • SR- SurroundingRecordings • Collects SMSMessages • Collects GPSCoordinates • Collects Contact, Calendars, Call Logs • Data fromWhatsApp, Viber, Skype, andLine Bundle ID Team ID com.mobilekare.notifierrrr GUDCEEC5K9 ● Someheuristics similar toTheOneSpy ● Androidis theprimary toolingusedinthesecampaigns
  • 52. Tangelo 55 ● Package Installation Footprint: • /Applications/iNotifier.app • /Library/iNotifier.app • /Library/LaunchDaemons/com.mobilekare.notifierrrr.plist ● Runtime Installation Footprint: • /private/var/tmp/skp.xml • /private/var/tmp/CallHistory • /private/var/tmp/AddressBook.sqlitedb • /private/var/tmp/programer.plist • /private/var/tmp/iMyAudioMemo.ma4 • /private/var/tmp/image.jpg • /private/var/tmp/com.apple.mobile.installation.plist • /usr/libexec/iNotifier
  • 56. 59 Tangelo was found to be re-using malicious linked infrastructure in their legitimate iOS apps for non-malicious uses. hxxp://128.199.53[.]121/verify_server.php Tangelo Infrastructure Re-use
  • 59. 62 Fake Facebook persona Phishing URL to Fake App Store
  • 61. 64
  • 65. Stealth Mango & Tangelo 68 Freelance developed, nation state deployed Android and iOS implants • Android - StealthMango aka StealthAgent • iOS - Tangelo • Development and surveillance was very active Targets • Primary - Activists, government officials, and members of the military in Pakistan, Afghanistan, India, Iraq, and the UAE • Secondary – inadvertent collection from victims in the United States, Australia, UK and elsewhere Threat Actor & Associated Developers • Freelance developers – linked to TheOneSpy • APT group or individual(s) believed to be a part of the Pakistani Military and previously linked to Operation C Major and Transparent Tribe.
  • 66. 69 References • Lookout full report: https://blog.lookout.com/stealth-mango • Amnesty full report: https://www.amnesty.org/en/latest/news/2018/05/pakistan-campaign-of-hacking- spyware-and-surveillance-targets-human-rights-defenders/ • Trend Micro: http://documents.trendmicro.com/assets/pdf/indian-military-personnel-targeted-by- information-theft-campaign-cmajor.pdf • Proof Point: https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe- threat-insight-en.pdf References
  • 67. Contact Us Email: threatintel@lookout.com Andrew Blaich @ablaich Michael Flossman @terminalrift
  • 68. Thank you! Questions? Note: All security research conducted by Lookout employees is performed according to the Computer Fraud and Abuse Act (CFAA) of 1986. As such, analysis of adversary infrastructure and the retrieval of any exposed data is limited to only that which is publicly accessible. Any sensitive information obtained during this process, such as usernames or passwords, is never used in any authentication-based situations where its use would grant access to services or systems.