Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1474: Supply Chain Compromise

Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.

Supply chain compromise can take place at any stage of the supply chain including:

* Manipulation of development tools * Manipulation of a development environment * Manipulation of source code repositories (public or private) * Manipulation of source code in open-source dependencies * Manipulation of software update/distribution mechanisms * Compromised/infected system images * Replacement of legitimate software with modified versions * Sales of modified/counterfeit products to legitimate distributors * Shipment interdiction

While supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency, specifically with the widespread usage of third-party advertising libraries.[1][2]

MobileT1474TechniqueObject v2.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Supply Chain Compromise for mobile matters because a trusted app, dependency, update channel, device image, hardware component, or delivery path can be altered before the organization ever receives it. For executives, the key issue is trust: normal mobile security controls may see the product as legitimate even when the compromise was introduced upstream.

Executive priority

Treat this as a resilience and assurance problem, not only a malware problem. Leaders should ask whether mobile app development, third-party libraries, app distribution, device procurement, security update commitments, and device retirement rules are governed with evidence. Budget and control decisions should prioritize supplier assurance, secure SDLC practices, timely mobile security updates, and the ability to restrict enterprise access from devices that are not current or no longer supported.

Technical view

ATT&CK lists Android and iOS platforms and no specific tactic for this parent technique. SOC, IR, mobile security, and detection engineering teams should validate visibility across the related sub-areas: compromised software dependencies and development tools, compromised hardware supply chain, and compromised software supply chain. Because official detection text is not provided, teams should use the related detection strategy DET0628 as a starting point and confirm local evidence sources can support investigations into app provenance, dependency integrity, update-channel integrity, device image integrity, and unexpected changes in signed or distributed mobile software.

Likely telemetry

  • Mobile device inventory, OS version, and security patch level records
  • Mobile application inventory, package identifiers, signing certificate details, hashes, and installation source
  • Mobile app build, release, repository, dependency, and third-party library records where the organization develops or distributes apps
  • Software update and application distribution logs, including enterprise app store or MDM deployment history where available
  • Procurement, vendor, carrier, shipment, and device lifecycle records for managed mobile hardware

Detection direction

  • Validate whether DET0628 or local detection content covers supply-chain indicators across software dependencies, development tools, hardware, and software distribution paths.
  • Tune for integrity and provenance anomalies rather than only runtime malware behavior; a compromised product may appear trusted if signatures, repositories, or update mechanisms were abused upstream.
  • Correlate mobile app inventory with expected signing certificates, approved distribution channels, known dependency versions, and release records.
  • Use device patch level and support status as detection and triage context, especially where access to enterprise resources depends on recent security updates.
  • Account for false positives from legitimate app updates, developer certificate rotation, emergency releases, device replacement, or carrier/vendor update delays.

Mitigation priorities

  • Prioritize M1001 Security Updates: buy and retain devices with vendor or carrier commitments for prompt updates, monitor patch levels, decommission unsupported devices, and limit or block enterprise access from devices lacking recent updates.
  • Apply M1013 Application Developer Guidance for internally developed mobile applications: integrate secure coding, secure design, and SDLC controls to reduce opportunities for compromised dependencies or development processes to enter releases.
  • Maintain approval and review processes for third-party mobile libraries, SDKs, and open-source dependencies, including advertising libraries when used.
  • Require provenance checks for mobile applications and updates, including expected source, signing identity, and release history.
  • Strengthen procurement and lifecycle governance for mobile hardware and system images, especially for devices that will access enterprise resources.
Analyst notes and limits

This object consolidates several formerly separate mobile supply-chain concepts and has three sub-techniques: T1474.001 for software dependencies and development tools, T1474.002 for hardware supply chain, and T1474.003 for software supply chain. The NIST Mobile Threat Catalogue references and ATT&CK relationships support using this technique for compliance evidence, vendor risk discussions, mobile SDLC review, and device access policy decisions.

The supplied ATT&CK object does not provide official detection text or tactics, and the related detection strategy details are not included. Assessment of exposure or coverage requires local evidence about mobile platforms in use, app development practices, dependency management, procurement paths, MDM controls, and update enforcement.

Official MITRE ATT&CK definition

Supply Chain Compromise

Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.

Supply chain compromise can take place at any stage of the supply chain including:

* Manipulation of development tools * Manipulation of a development environment * Manipulation of source code repositories (public or private) * Manipulation of source code in open-source dependencies * Manipulation of software update/distribution mechanisms * Compromised/infected system images * Replacement of legitimate software with modified versions * Sales of modified/counterfeit products to legitimate distributors * Shipment interdiction

While supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency, specifically with the widespread usage of third-party advertising libraries.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

6 rows
Domain ID Name Relationship / procedure
Mobile T1474.002 Compromise Hardware Supply Chain Sub-technique Compromise Hardware Supply Chain subtechnique of this object.
Mobile T1474.001 Compromise Software Dependencies and Development Tools Sub-technique Compromise Software Dependencies and Development Tools subtechnique of this object.
Mobile Malicious or Vulnerable Built-in Device Functionality Malicious or Vulnerable Built-in Device Functionality revoked by this object.
Mobile Malicious Software Development Tools Malicious Software Development Tools revoked by this object.
Mobile T1474.003 Compromise Software Supply Chain Sub-technique Compromise Software Supply Chain subtechnique of this object.
Mobile Insecure Third-Party Libraries Insecure Third-Party Libraries revoked by this object.
Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1474.002: Compromise Hardware Supply Chain Mobile mitigates · Mitigation M1001: Security Updates Mobile mitigates · Mitigation M1013: Application Developer Guidance Mobile detects · Detection Strategy DET0628: Detection of Supply Chain Compromise Mobile subtechnique of · Technique T1474.001: Compromise Software Dependencies and Development Tools Mobile revoked by · Technique Malicious or Vulnerable Built-in Device Functionality Mobile revoked by · Technique Malicious Software Development Tools Mobile subtechnique of · Technique T1474.003: Compromise Software Supply Chain Mobile revoked by · Technique Insecure Third-Party Libraries Mobile
Mitigations

Mitigation direction

Mitigation Mobile

M1001: Security Updates

Install security updates in response to discovered vulnerabilities.

Purchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.

Decommission devices that will no longer receive security updates.

Limit or block access to enterprise resources from devices that have not installed recent security updates.

On Android devices, access can be controlled based on each device's security patch level. On iOS devices, access can be controlled based on the iOS version.

Mitigation Mobile

M1013: Application Developer Guidance

Application Developer Guidance focuses on providing developers with the knowledge, tools, and best practices needed to write secure code, reduce vulnerabilities, and implement secure design principles. By integrating security throughout the software development lifecycle (SDLC), this mitigation aims to prevent the introduction of exploitable weaknesses in applications, systems, and APIs. This mitigation can be implemented through the following measures: Preventing SQL Injection (Secure Coding Practice):

- Implementation: Train developers to use parameterized queries or prepared statements instead of directly embedding user input into SQL queries. - Use Case: A web application accepts user input to search a database. By sanitizing and validating user inputs, developers can prevent attackers from injecting malicious SQL commands.

Cross-Site Scripting (XSS) Mitigation:

- Implementation: Require developers to implement output encoding for all user-generated content displayed on a web page. - Use Case: An e-commerce site allows users to leave product reviews. Properly encoding and escaping user inputs prevents malicious scripts from being executed in other users’ browsers.

Secure API Design:

- Implementation: Train developers to authenticate all API endpoints and avoid exposing sensitive information in API responses. - Use Case: A mobile banking application uses APIs for account management. By enforcing token-based authentication for every API call, developers reduce the risk of unauthorized access.

Static Code Analysis in the Build Pipeline:

- Implementation: Incorporate tools into CI/CD pipelines to automatically scan for vulnerabilities during the build process. - Use Case: A fintech company integrates static analysis tools to detect hardcoded credentials in their source code before deployment.

Threat Modeling in the Design Phase:

- Implementation: Use frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to assess threats during application design. - Use Case: Before launching a customer portal, a SaaS company identifies potential abuse cases, such as session hijacking, and designs mitigations like secure session management.

**Tools for Implementation**:

- Static Code Analysis Tools: Use tools that can scan for known vulnerabilities in source code. - Dynamic Application Security Testing (DAST): Use tools like Burp Suite or OWASP ZAP to simulate runtime attacks and identify vulnerabilities. - Secure Frameworks: Recommend secure-by-default frameworks (e.g., Django for Python, Spring Security for Java) that enforce security best practices.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.1
Created
Modified
Raw hash
3b515ee75a31836a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.1 Current bundle 3b515ee75a31…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Grace-Advertisement

    M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved November 17, 2024.

    Open source URL
  2. [2]
    NowSecure-RemoteCode

    Ryan Welton. (2015, June 15). A Pattern for Remote Code Execution using Arbitrary File Writes and MultiDex Applications. Retrieved December 22, 2016.

    Open source URL
  3. [3]
    NIST Mobile Threat Catalogue APP-6
    Open source URL
  4. [4]
    NIST Mobile Threat Catalogue SPC-0
    Open source URL
  5. [5]
    NIST Mobile Threat Catalogue SPC-1
    Open source URL
  6. [6]
    NIST Mobile Threat Catalogue SPC-10
    Open source URL
  7. [7]
    NIST Mobile Threat Catalogue SPC-11
    Open source URL
  8. [8]
    NIST Mobile Threat Catalogue SPC-12
    Open source URL
  9. [9]
    NIST Mobile Threat Catalogue SPC-13
    Open source URL
  10. [10]
    NIST Mobile Threat Catalogue SPC-14
    Open source URL
  11. [11]
    NIST Mobile Threat Catalogue SPC-15
    Open source URL
  12. [12]
    NIST Mobile Threat Catalogue SPC-16
    Open source URL
  13. [13]
    NIST Mobile Threat Catalogue SPC-17
    Open source URL
  14. [14]
    NIST Mobile Threat Catalogue SPC-18
    Open source URL
  15. [15]
    NIST Mobile Threat Catalogue SPC-19
    Open source URL
  16. [16]
    NIST Mobile Threat Catalogue SPC-2
    Open source URL
  17. [17]
    NIST Mobile Threat Catalogue SPC-20
    Open source URL
  18. [18]
    NIST Mobile Threat Catalogue SPC-21
    Open source URL
  19. [19]
    NIST Mobile Threat Catalogue SPC-3
    Open source URL
  20. [20]
    NIST Mobile Threat Catalogue SPC-4
    Open source URL
  21. [21]
    NIST Mobile Threat Catalogue SPC-5
    Open source URL
  22. [22]
    NIST Mobile Threat Catalogue SPC-6
    Open source URL
  23. [23]
    NIST Mobile Threat Catalogue SPC-7
    Open source URL
  24. [24]
    NIST Mobile Threat Catalogue SPC-8
    Open source URL
  25. [25]
    NIST Mobile Threat Catalogue SPC-9
    Open source URL
  26. [26]
    mitre-attack T1474
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use