As further described in Supply Chain Compromise, supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Somewhat related, adversaries could also identify and exploit inadvertently present vulnerabilities. In many cases, it may be difficult to be certain whether exploitable functionality is due to malicious intent or simply inadvertent mistake.
Third-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities. For example, security issues have previously been identified in third-party advertising libraries incorporated into apps.[1][2].
| ID | Name | Description |
|---|---|---|
| S0309 | Adups |
Adups was pre-installed on Android devices from some vendors.[3][4] |
| S0319 | Allwinner |
A Linux kernel distributed by Allwinner reportedly contained an simple backdoor that could be used to obtain root access. It was believed to have been left in the kernel by mistake by the authors.[5] |
| S0555 | CHEMISTGAMES |
CHEMISTGAMES has been distributed as updates to legitimate applications. This was accomplished by compromising legitimate app developers, and subsequently gaining access to their Google Play Store developer account.[6] |
| S0328 | Stealth Mango |
In at least one case, Stealth Mango may have been installed using physical access to the device by a repair shop.[7] |
| S0424 | Triada |
Triada was added into the Android system by a third-party vendor identified as Yehuo or Blazefire during the production process.[8] [9] |
| S0297 | XcodeGhost |
XcodeGhost was injected into apps by a modified version of Xcode (Apple's software development tool).[10][11] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.