Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0319: Allwinner

Allwinner is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by Allwinner for use on these devices reportedly contained a backdoor. [1]

MobileS0319MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Allwinner matters less as a traditional malware sample and more as a supply-chain trust case: the ATT&CK entry describes a vendor-distributed Linux kernel for devices using Allwinner processors that reportedly contained a backdoor. For leaders, the practical issue is whether the organization can identify affected device dependencies, validate firmware/kernel provenance, and produce evidence that mobile or embedded devices are sourced, updated, and monitored through controlled channels.

Executive priority

Treat this as a governance and resilience question around third-party software and device supply chains. Security leaders should ask whether procurement, asset management, vulnerability management, and incident response can quickly answer: which Android tablets or other devices depend on a given chipset or vendor kernel, what firmware/kernel versions are deployed, who approves updates, and what evidence would support audit or incident decisions if a supplier-distributed component is later found compromised.

Technical view

ATT&CK provides no object-level platforms, tactics, aliases, or detection guidance for Allwinner. The useful relationship is to T1474.003, Compromise Software Supply Chain, in the mobile domain. SOC, IR, and detection teams should therefore validate supply-chain visibility rather than look for a single guaranteed indicator: device inventory, firmware/kernel version tracking, approved update sources, mobile/embedded asset ownership, and exception handling for unmanaged or consumer-grade devices. Any investigation should be anchored in local evidence about deployed devices and vendor software lineage.

Likely telemetry

  • Mobile and embedded device inventory, including manufacturer, model, chipset, OS, firmware, and kernel version where available
  • Mobile device management or endpoint management records for enrolled Android tablets or similar devices
  • Procurement and supplier records tying devices to vendors, chipsets, firmware sources, and update channels
  • Firmware, kernel, or software bill of materials evidence where maintained
  • Network telemetry from managed device segments to identify unusual communications from affected device classes

Detection direction

  • Do not assume conventional malware signatures are sufficient; the ATT&CK object provides no detection text or indicators.
  • Validate whether the SOC can correlate device identity, firmware/kernel version, ownership, and network behavior for mobile or embedded devices.
  • Tune monitoring around unexpected communications or behavior from managed device classes, but treat findings as investigative leads requiring asset and firmware context.
  • Check for blind spots in unmanaged tablets, lab devices, operational devices, guest networks, and devices outside MDM coverage.
  • Use the related supply-chain technique context to review whether update sources, compiled releases, or vendor-provided images can be verified before deployment.

Mitigation priorities

  • Start with asset and dependency visibility: identify devices that may rely on vendor-supplied kernels or firmware and document ownership.
  • Require controlled procurement and approved update channels for mobile and embedded devices.
  • Maintain firmware/kernel version records and, where feasible, software provenance or SBOM-style evidence for regulated or critical environments.
  • Segment and monitor device classes that cannot provide strong host telemetry.
  • Define IR playbooks for supplier-distributed component concerns, including scoping, isolation, vendor coordination, and replacement or update decisions.
Analyst notes and limits

The source material describes a reported backdoor in a Linux kernel distributed by Allwinner for devices using its processors, with ATT&CK linking the object to mobile supply-chain compromise. The highest-value defensive use is readiness validation: can teams find affected devices, prove software provenance, and respond if a supplier component is suspect?

Official ATT&CK detection is not provided, and the malware object does not specify platforms or tactics. The only relationship supplied is to Compromise Software Supply Chain, whose listed platforms are Android and iOS; the Allwinner description specifically references Android tablets and other devices. Local inventory, firmware evidence, and supplier records are required to assess relevance.

Official MITRE ATT&CK definition

Allwinner

Allwinner is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by Allwinner for use on these devices reportedly contained a backdoor. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1474.003 Compromise Software Supply Chain Sub-technique

A Linux kernel distributed by Allwinner reportedly contained an simple backdoor that could be used to obtain root access. It was believed to have been left in the kernel by mistake by the authors.CitationHackerNews-Allwinner
Relationship explorer

All related ATT&CK context

uses · Technique T1474.003: Compromise Software Supply Chain Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d2746a9b1e1f4ced...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d2746a9b1e1f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    HackerNews-Allwinner

    Mohit Kumar. (2016, May 11). Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker. Retrieved September 18, 2018.

    Open source URL
  2. [2]
    Allwinner

    (Citation: HackerNews-Allwinner)

  3. [3]
    mitre-attack S0319
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use