T1632.001: Code Signing Policy Modification
Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys. Code signing provides a level of authenticity on an app from a developer, guaranteeing that the program has not been tampered with and comes from an official source. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on a device.
Mobile devices generally enable these security controls by default, such as preventing the installation of unknown applications on Android. Adversaries may modify these policies in a number of ways, including Input Injection or malicious configuration profiles.
Analyst context for executives and security teams
Code Signing Policy Modification matters because it weakens a core mobile trust boundary: whether a device will run only applications that appear to come from approved, signed sources. For executives and security leaders, the business issue is not just malware installation; it is whether enterprise mobile devices can be trusted for communications, identity access, and sensitive work after a policy or profile change allows unofficial code to run.
Executive priority
Prioritize this where Android or iOS devices are used for privileged communications, cloud or SaaS access, regulated data, field operations, or executive workflows. Leadership should ask whether mobile policy baselines are enforced through EMM/MDM, whether OS currency is measurable, and whether incident responders can quickly prove which devices accepted risky code-signing or configuration changes. This technique also has audit value because it tests whether mobile trust controls are governed, monitored, and recoverable rather than assumed.
Technical view
For SOC, detection engineering, and IR teams, validate coverage for Android and iOS policy changes that allow execution or installation of applications signed with unofficial or unknown keys. ATT&CK provides no official detection text, but relationship context includes DET0619, Detection of Code Signing Policy Modification. Detection should focus on deviations from expected enterprise mobile policy, installation of suspicious or malicious configuration profiles, changes that permit unknown applications, and device state changes that undermine the parent behavior, Subvert Trust Controls. Related ATT&CK examples include Windshift and multiple mobile malware families using this behavior, so threat intelligence can help prioritize mobile investigations without assuming local exposure.
Likely telemetry
- EMM/MDM policy state and compliance history for Android and iOS devices
- Configuration profile inventory, install, change, and removal events
- Device settings related to unknown application installation or trust enforcement
- Mobile application inventory with signing, source, and install provenance where available
- Mobile OS version and patch/update status
Detection direction
- Implement or validate DET0619-style logic against managed mobile policy baselines, not just point-in-time device inventory.
- Alert on policy drift that permits unknown or unofficially signed applications, especially when paired with new profile installation or unexpected application installation.
- Correlate code-signing policy changes with device enrollment status, OS version, recent configuration profile changes, and app inventory changes.
- Tune for legitimate administrative changes by requiring change-management context, approved EMM actions, or known maintenance windows before suppressing alerts.
- Treat unmanaged or lightly managed BYOD devices as a likely blind spot because ATT&CK provides no guaranteed native detection source and official detection guidance is not provided.
Mitigation priorities
- Use Enterprise Policy through EMM/MDM to enforce mobile trust settings and prevent unauthorized policy drift where supported.
- Maintain recent Android and iOS versions, aligning with M1006, because mobile OS updates may add patches and security architecture improvements that increase resilience.
- Provide user guidance, aligning with M1011, so users recognize risky configuration profile prompts, unknown app installation requests, and social-engineering attempts involving mobile settings.
- Make mobile policy compliance part of incident readiness: responders should be able to identify affected devices, policy-change timing, installed profiles, and apps installed after the trust-control change.
- Review exceptions for users or business units that require nonstandard mobile installation paths, because those exceptions can become persistent blind spots.
Analyst notes and limits
This object is a mobile sub-technique of T1632, Subvert Trust Controls, and applies to Android and iOS. The revoked-by relationship from T1478 indicates that insecure or malicious configuration installation behavior is relevant context. The use relationships to Windshift and several mobile software entries support prioritizing this behavior in mobile threat models, especially for surveillanceware-style risk, but they should not be read as evidence of current activity.
ATT&CK does not specify tactics for this object and does not provide official detection text. DET0619 is referenced as a detection strategy, but its detailed logic is not supplied here. Local conclusions require enterprise evidence from MDM/EMM, device telemetry, app inventory, OS version data, and approved mobile policy baselines.
Code Signing Policy Modification
Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys. Code signing provides a level of authenticity on an app from a developer, guaranteeing that the program has not been tampered with and comes from an official source. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on a device.
Mobile devices generally enable these security controls by default, such as preventing the installation of unknown applications on Android. Adversaries may modify these policies in a number of ways, including Input Injection or malicious configuration profiles.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1632 | Subvert Trust Controls | This object subtechnique of Subvert Trust Controls. |
| Mobile | T1478 | Install Insecure or Malicious Configuration | Install Insecure or Malicious Configuration revoked by this object. |
Groups, software, and campaigns
G0112: Windshift
S1056: TianySpy
S0551: GoldenEagle
GoldenEagle is a piece of Android malware that has been used in targeting of Uyghurs, Muslims, Tibetans, individuals in Turkey, and individuals in China. Samples have been found as early as 2012.[1]
S0549: SilkBean
S0420: Dvmap
S0505: Desert Scorpion
Desert Scorpion is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. Desert Scorpion is suspected to have been operated by the threat actor APT-C-23.[1]
There are multiple close variants of Desert Scorpion, such as VAMP[2], GnatSpy[3], FrozenCell and SpyC23, which add some additional functionality but are not significantly different from the original malware.
S0311: YiSpecter
S0490: XLoader for iOS
XLoader for iOS is a malicious iOS application that is capable of gathering system information.[1] It is tracked separately from the XLoader for Android.
S0485: Mandrake
Mandrake is a sophisticated Android espionage platform that has been active in the wild since at least 2016. Mandrake is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.
Mandrake has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 7ef3fb0ab063… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NIST Mobile Threat Catalogue STA-7Open source URL
-
[2]
mitre-attack T1632.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.