DET0721: Detection of Compromise Software Supply Chain
This detection strategy matters because mobile app compromise can occur before the app reaches the user: in source code, the update or distribution path, o...
Analyst context for executives and security teams
This detection strategy matters because mobile app compromise can occur before the app reaches the user: in source code, the update or distribution path, or the compiled release itself. For executives and security leaders, the practical issue is trust in mobile software provenance, not just endpoint monitoring after installation.
Executive priority
Prioritize this as a supply-chain assurance and incident-readiness question for Android and iOS environments: do teams know which mobile apps are trusted, where they came from, how updates are validated, and what evidence would prove an app or release was tampered with? Because the ATT&CK object has no official detection text, leadership should treat DET0721 as a coverage-validation prompt rather than an assurance that a specific detection exists.
Technical view
DET0721 detects T1474.003, Compromise Software Supply Chain, in the mobile ATT&CK domain. SOC, mobile security, and IR teams should validate whether they can compare expected application provenance, signing, version, hash, and distribution-source data against what is actually installed or delivered to Android and iOS devices. Detection engineering should focus on deviations in app release integrity, unexpected update paths, or mismatches between approved and observed mobile application artifacts.
Likely telemetry
- Mobile device management or enterprise mobility inventory for installed apps, versions, publishers, and device scope
- Application signing certificate, package identifier, version, and hash metadata where available
- Approved mobile app catalog or allowlist records
- App distribution and update-source logs, including enterprise app stores or managed distribution channels
- Build, release, and artifact repository records for internally developed mobile applications, where applicable
Detection direction
- Confirm whether Android and iOS mobile app inventories can be correlated with approved software sources and expected release metadata.
- Tune for integrity or provenance mismatches, such as unexpected signing information, unapproved distribution sources, or versions not matching approved release records.
- Account for false positives from legitimate emergency releases, regional app variants, beta channels, or unmanaged personal app installs if those are in scope.
- Because the official detection field is not provided, avoid assuming ATT&CK defines a specific analytic; document local detection logic, required data sources, and tested gaps.
- Use the relationship to T1474.003 to frame triage around three compromise points: source code manipulation, update/distribution mechanism manipulation, and replacement of compiled releases.
Mitigation priorities
- Establish and maintain an approved inventory of mobile applications and trusted distribution paths for Android and iOS use cases.
- Require integrity validation for internally developed or enterprise-distributed mobile apps, including signing and release metadata checks.
- Limit unmanaged or unapproved mobile app distribution where business requirements allow.
- Preserve release, signing, and distribution evidence so incident responders can compare expected artifacts with what reached devices.
- For critical mobile workflows, periodically test whether security teams can detect and investigate a tampered or unexpected mobile app release using available telemetry.
Analyst notes and limits
The ATT&CK object is a detection strategy, DET0721, with no official description, tactics, platforms, or detection text supplied. Its practical value comes from its relationship to T1474.003, which covers mobile software supply-chain compromise affecting Android and iOS application delivery.
This take is constrained by sparse official ATT&CK fields. It does not assert active exploitation, actor attribution, guaranteed detection coverage, or specific vendor controls. Local mobile management architecture, app distribution model, and logging availability determine whether the recommended validation is feasible.
Detection of Compromise Software Supply Chain
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1474.003 | Compromise Software Supply Chain Sub-technique | This object detects Compromise Software Supply Chain. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4350989590cb… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0721Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.