Supply Chain Compromise: Compromise Software Supply Chain

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

ID: T1474.003
Sub-technique of:  T1474
Tactic Type: Post-Adversary Device Access
Tactic: Initial Access
Platforms: Android, iOS
Version: 1.0
Created: 28 March 2022
Last Modified: 05 April 2022

Procedure Examples

ID Name Description
S0309 Adups

Adups was pre-installed on Android devices from some vendors.[1][2]

S0319 Allwinner

A Linux kernel distributed by Allwinner reportedly contained an simple backdoor that could be used to obtain root access. It was believed to have been left in the kernel by mistake by the authors.[3]


CHEMISTGAMES has been distributed as updates to legitimate applications. This was accomplished by compromising legitimate app developers, and subsequently gaining access to their Google Play Store developer account.[4]

S0328 Stealth Mango

In at least one case, Stealth Mango may have been installed using physical access to the device by a repair shop.[5]

S0424 Triada

Triada was added into the Android system by a third-party vendor identified as Yehuo or Blazefire during the production process.[6][7]


ID Mitigation Description
M1001 Security Updates

Security updates may contain patches that inhibit system software compromises.

M1004 System Partition Integrity

Ensure Verified Boot is enabled on devices with that capability.


Application vetting services can detect malicious code in applications. System partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition.