1. Home
  2. Techniques
  3. Mobile
  4. Supply Chain Compromise
  5. Compromise Software Supply Chain

Supply Chain Compromise: Compromise Software Supply Chain

ID Name
T1474.001 Compromise Software Dependencies and Development Tools
T1474.002 Compromise Hardware Supply Chain
T1474.003 Compromise Software Supply Chain

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

ID: T1474.003
Sub-technique of:  T1474
Tactic Type: Post-Adversary Device Access
Tactic: Initial Access
Platforms: Android, iOS
MTC ID: SPC-4, SPC-11, SPC-12, SPC-18, SPC-20
Version: 1.1
Created: 28 March 2022
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0309 Adups

Adups was pre-installed on Android devices from some vendors.[1][2]
S0319 Allwinner

A Linux kernel distributed by Allwinner reportedly contained an simple backdoor that could be used to obtain root access. It was believed to have been left in the kernel by mistake by the authors.[3]
S0555 CHEMISTGAMES

CHEMISTGAMES has been distributed as updates to legitimate applications. This was accomplished by compromising legitimate app developers, and subsequently gaining access to their Google Play Store developer account.[4]
S0328 Stealth Mango

In at least one case, Stealth Mango may have been installed using physical access to the device by a repair shop.[5]
S0424 Triada

Triada was added into the Android system by a third-party vendor identified as Yehuo or Blazefire during the production process.[6][7]

Mitigations

ID Mitigation Description
M1001 Security Updates

Security updates may contain patches that inhibit system software compromises.
M1004 System Partition Integrity

Ensure Verified Boot is enabled on devices with that capability.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0721 Detection of Compromise Software Supply Chain AN1853

The defender correlates the arrival, installation, or update of a trusted or expected application with a subsequent deviation in package trust characteristics, permission posture, protected-resource use, framework behavior, or network communication that is inconsistent with the known-good role of that app. The strongest Android evidence is a managed or trusted package whose first-run or post-update behavior introduces unexpected special access, sensitive sensor use, unusual background execution, privileged framework interaction, or outbound communication to destinations outside the app's baseline shortly after installation or update.
AN1854

Anchor on supervised managed-app install/update or version drift, then correlate with unexpected background activity, managed-app state changes, or egress inconsistent with the app's historical and policy baseline.

References

  1. Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.
  2. Jeremy Kirk. (2016, November 16). Why Did Chinese Spyware Linger in U.S. Phones?. Retrieved February 6, 2017.
  3. Mohit Kumar. (2016, May 11). Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker. Retrieved September 18, 2018.
  4. B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.
  1. Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.
  2. Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.
  3. Krebs, B. (2019, June 25). Tracing the Supply Chain Attack on Android. Retrieved July 16, 2019.