Skip to content

S0432 Bread

Bread was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store’s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.1

Item Value
ID S0432
Associated Names Joker
Type MALWARE
Version 1.2
Created 04 May 2020
Last Modified 21 April 2023
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Joker 1

Techniques Used

Domain ID Name Use
mobile T1517 Access Notifications Bread can collect device notifications.2
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols Bread communicates with the C2 server using HTTP requests.1
mobile T1407 Download New Code at Runtime Bread has utilized JavaScript within WebViews that loaded a URL hosted on a Bread-controlled server which provided functions to run. Bread downloads billing fraud execution steps at runtime.1
mobile T1643 Generate Traffic from Victim Bread can perform SMS fraud on older versions of the malware, and toll fraud on newer versions.1
mobile T1575 Native API Bread has used native code in an attempt to disguise malicious functionality.1
mobile T1406 Obfuscated Files or Information Bread uses various tricks to obfuscate its strings including standard and custom encryption, programmatically building strings at runtime, and splitting unencrypted strings with repeated delimiters to break up keywords. Bread has also abused Java and JavaScript features to obfuscate code. Bread payloads have hidden code in native libraries and encrypted JAR files in the data section of an ELF file. Bread has stored DEX payloads as base64-encoded strings in the Android manifest and internal Java classes.21
mobile T1406.002 Software Packing Bread payloads have used several commercially available packers.1
mobile T1636 Protected User Data -
mobile T1636.004 SMS Messages Bread can access SMS messages in order to complete carrier billing fraud.1
mobile T1422 System Network Configuration Discovery Bread collects the device’s IMEI, carrier, mobile country code, and mobile network code.1

References

  1. A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020. 

  2. Hazum, A., Melnykov, B., Wernik, I.. (2020, July 9). New Joker variant hits Google Play with an old trick. Retrieved July 20, 2020.