In this talk, we will unveil the new in-house capabilities of a nation state actor who has been observed deploying both Android and iOS surveillance tooling, known as Stealth Mango and Tangelo. The actor behind these offensive capabilities has successfully compromised the devices of government officials and military personnel in numerous countries with some directly impacting Western interests. Our research indicates this capability has been created by freelance developers who primarily release commodity spouse-ware but moonlight by selling their own custom surveillanceware to state actors. One such state actor has been observed deploying Stealth Mango and this presentation will unveil the depth and breadth of their campaigns, detailing not only how we watched them grow and develop, test, QA, and deploy their offensive tooling, but also how operation security mistakes ultimately led to their attribution.
Andrew Blaich is a security researcher and the head of device intelligence at Lookout where he is focused on threat hunting and vulnerability research. Andrew has presented on several surveillanceware actors including Pegasus, Chrysaor, and Dark Caracal. Prior to Lookout, Andrew was the Lead Security Analyst at Bluebox Security. He holds a PhD in computer science, and engineering from the University of Notre Dame in enterprise security and wireless networking. Andrew has presented at conferences including Black Hat, SAS, RSA, ACSC, and ShmooCon. In his free time, he loves to run.
Michael Flossman is the Head of Lookout's Threat Intelligence services where he is responsible for discovering and analyzing sophisticated mobile threats being deployed in targeted attacks. He has recently worked on multiple high profile investigations that have involved tracking and writing about the evolution and deployment of surveillanceware tools like Pegasus, ViperRAT, FrozenCell, Dark Caracal, StealthMango, JadeRAT, and Tangelo to name but a few. His background is in security assessments, pen-testing, reverse engineering, prototyping, incident response, and vulnerability research.