T1474.003: Compromise Software Supply Chain
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.
Analyst context for executives and security teams
This mobile technique matters because a device can be compromised before the enterprise ever installs or receives the app: source code, compiled releases, or update and distribution mechanisms may be altered upstream. For leaders, the risk is less about a single user mistake and more about trust in mobile software procurement, update channels, and device eligibility for enterprise access.
Executive priority
Prioritize this where Android or iOS devices access sensitive enterprise data, regulated workflows, or operational systems. Ask whether the organization can prove which mobile apps and device builds are trusted, current, and eligible for access. Budget and governance decisions should focus on mobile supply-chain assurance, security update commitments, unsupported-device retirement, and auditable access controls tied to device update state.
Technical view
ATT&CK provides no official detection text and no tactic mapping for this sub-technique, but it is scoped to Android and iOS and is a sub-technique of Supply Chain Compromise. SOC, detection, and IR teams should validate whether they can investigate app provenance, signing identity, version drift, update source, device patch level, and Android system partition integrity. Relationship context shows DET0721 as a related detection strategy, but its details are not supplied here. ATT&CK also maps several mobile software entries to this behavior, including Adups, Allwinner, Stealth Mango, Triada, and CHEMISTGAMES, supporting the need to treat mobile supply-chain trust as an investigative and control domain rather than only an endpoint alerting problem.
Likely telemetry
- Mobile device inventory for Android and iOS assets
- Mobile app inventory, app version, package/bundle identifier, installation source, and update history
- Application signing certificate, hash, and release metadata where available
- MDM/UEM compliance state and enterprise resource access decisions
- Device operating system version and security patch level
Detection direction
- Confirm whether DET0721 or equivalent internal analytics exist, because the supplied ATT&CK object does not provide detection logic.
- Baseline approved mobile applications, expected signing certificates, authorized distribution channels, and known-good versions; alert on deviations that are meaningful in the local environment.
- Correlate suspicious app provenance or version changes with device compliance, patch level, and access to enterprise resources.
- Treat unsupported, unpatched, or unverifiable devices as higher-risk investigation targets, especially when they run sensitive mobile applications.
- Tune carefully for legitimate app updates, regional distribution differences, enterprise re-signing, beta channels, and managed app deployments to avoid excessive false positives.
Mitigation priorities
- Require vendor, carrier, and device procurement commitments for prompt security updates over a defined support period.
- Install security updates in response to discovered vulnerabilities and enforce recent security patch levels for enterprise access.
- Decommission devices that no longer receive security updates.
- Limit or block access to enterprise resources from devices that have not installed recent security updates, consistent with the M1001 mitigation relationship.
- For Android, ensure devices include and enable Verified Boot to cryptographically protect system partition integrity, consistent with M1004.
Analyst notes and limits
The most important defensive question is whether the organization can validate trust after software has passed through external development, build, and distribution paths. This object is especially relevant to mobile security architecture, MDM/UEM policy, incident response evidence collection, and compliance demonstrations around device eligibility and software provenance.
Official ATT&CK detection guidance and tactics are not provided for this object. The supplied relationship to DET0721 names a detection strategy but does not include its analytic details. Mitigation text is limited to security updates and Android system partition integrity. Local telemetry, mobile management capabilities, procurement records, and app distribution practices are required to determine actual exposure and coverage.
Compromise Software Supply Chain
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1474 | Supply Chain Compromise | This object subtechnique of Supply Chain Compromise. |
Groups, software, and campaigns
S0309: Adups
S0424: Triada
S0328: Stealth Mango
Stealth Mango is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as Tangelo is believed to be from the same developer. [1]
S0319: Allwinner
S0555: CHEMISTGAMES
CHEMISTGAMES is a modular backdoor that has been deployed by Sandworm Team.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 988454b897f0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NIST Mobile Threat Catalogue SPC-11Open source URL
-
[2]
NIST Mobile Threat Catalogue SPC-12Open source URL
-
[3]
NIST Mobile Threat Catalogue SPC-18Open source URL
-
[4]
NIST Mobile Threat Catalogue SPC-20Open source URL
-
[5]
NIST Mobile Threat Catalogue SPC-4Open source URL
-
[6]
mitre-attack T1474.003Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.