Supply Chain Compromise

As further described in Supply Chain Compromise, supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Somewhat related, adversaries could also identify and exploit inadvertently present vulnerabilities. In many cases, it may be difficult to be certain whether exploitable functionality is due to malicious intent or simply inadvertent mistake.

Related PRE-ATT&CK techniques include:

  • Identify vulnerabilities in third-party software libraries - Third-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities. For example, Ryan Welton of NowSecure identified exploitable remote code execution vulnerabilities in a third-party advertisement library [1]. Grace et al. identified security issues in mobile advertisement libraries [2].
  • Distribute malicious software development tools - As demonstrated by the XcodeGhost attack [3], app developers could be provided with modified versions of software development tools (e.g. compilers) that automatically inject malicious or exploitable code into applications.
ID: T1474

Tactic Type:  Post-Adversary Device Access

Tactic: Initial Access

Platform:  Android, iOS

MTC ID:  APP-6

Version: 1.0

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Examples

Name Description
Adups

Adups was pre-installed on Android devices from some vendors.[4][5]

Allwinner

A Linux kernel distributed by Allwinner reportedly contained an simple backdoor that could be used to obtain root access. It was believed to have been left in the kernel by mistake by the authors.[6]

Stealth Mango

Stealth Mango in at least one case may have been installed using physical access to the device by a repair shop.[7]

XcodeGhost

XcodeGhost was injected into apps by a modified version of Xcode (Apple's software development tool).[3][8]

Detection

  • Insecure third-party libraries could be detected by application vetting techniques. For example, Google's App Security Improvement Program detects the use of third-party libraries with known vulnerabilities within Android apps submitted to the Google Play Store.
  • Malicious software development tools could be detected by enterprises deploying integrity checking software to the computers that they use to develop code to detect presence of unauthorized, modified software development tools.

References