1. Home
  2. Techniques
  3. Mobile
  4. Supply Chain Compromise
  5. Compromise Software Supply Chain

Supply Chain Compromise: Compromise Software Supply Chain

ID Name
T1474.001 Compromise Software Dependencies and Development Tools
T1474.002 Compromise Hardware Supply Chain
T1474.003 Compromise Software Supply Chain

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

ID: T1474.003
Sub-technique of:  T1474
Tactic Type: Post-Adversary Device Access
Tactic: Initial Access
Platforms: Android, iOS
MTC ID: SPC-4, SPC-11, SPC-12, SPC-18, SPC-20
Version: 1.1
Created: 28 March 2022
Last Modified: 20 March 2023
Version Permalink

Procedure Examples

ID Name Description
S0309 Adups

Adups was pre-installed on Android devices from some vendors.[1][2]
S0319 Allwinner

A Linux kernel distributed by Allwinner reportedly contained an simple backdoor that could be used to obtain root access. It was believed to have been left in the kernel by mistake by the authors.[3]
S0555 CHEMISTGAMES

CHEMISTGAMES has been distributed as updates to legitimate applications. This was accomplished by compromising legitimate app developers, and subsequently gaining access to their Google Play Store developer account.[4]
S0328 Stealth Mango

In at least one case, Stealth Mango may have been installed using physical access to the device by a repair shop.[5]
S0424 Triada

Triada was added into the Android system by a third-party vendor identified as Yehuo or Blazefire during the production process.[6][7]

Mitigations

ID Mitigation Description
M1001 Security Updates

Security updates may contain patches that inhibit system software compromises.
M1004 System Partition Integrity

Ensure Verified Boot is enabled on devices with that capability.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting API Calls

Application vetting services can detect malicious code in applications.
DS0013 Sensor Health Host Status

System partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition.

References

  1. Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.
  2. Jeremy Kirk. (2016, November 16). Why Did Chinese Spyware Linger in U.S. Phones?. Retrieved February 6, 2017.
  3. Mohit Kumar. (2016, May 11). Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker. Retrieved September 18, 2018.
  4. B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.
  1. Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.
  2. Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.
  3. Krebs, B. (2019, June 25). Tracing the Supply Chain Attack on Android. Retrieved July 16, 2019.