S0432 Bread
Bread was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store’s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.1
| Item | Value |
|---|---|
| ID | S0432 |
| Associated Names | Joker |
| Type | MALWARE |
| Version | 1.1 |
| Created | 04 May 2020 |
| Last Modified | 14 October 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Joker | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1517 | Access Notifications | Bread can collect device notifications.2 |
| mobile | T1412 | Capture SMS Messages | Bread can access SMS messages in order to complete carrier billing fraud.1 |
| mobile | T1448 | Carrier Billing Fraud | Bread can perform SMS fraud on older versions of the malware, and toll fraud on newer versions.1 |
| mobile | T1475 | Deliver Malicious App via Authorized App Store | Bread has been distributed through the Play Store. Some versions started off as clean to build a userbase and developer reputation. These versions were then updated to introduce malicious code.1 |
| mobile | T1476 | Deliver Malicious App via Other Means | Bread can install additional applications.2 |
| mobile | T1407 | Download New Code at Runtime | Bread has utilized JavaScript within WebViews that loaded a URL hosted on a Bread-controlled server which provided functions to run. Bread downloads billing fraud execution steps at runtime.1 |
| mobile | T1452 | Manipulate App Store Rankings or Ratings | Bread had many fake reviews and ratings on the Play Store.1 |
| mobile | T1575 | Native Code | Bread has used native code in an attempt to disguise malicious functionality.1 |
| mobile | T1406 | Obfuscated Files or Information | Bread uses various tricks to obfuscate its strings including standard and custom encryption, programmatically building strings at runtime, and splitting unencrypted strings with repeated delimiters to break up keywords. Bread has also abused Java and JavaScript features to obfuscate code. Bread payloads have used several commercially available packers as well as hiding code in native libraries and encrypted JAR files in the data section of an ELF file. Bread has stored DEX payloads as base64-encoded strings in the Android manifest and internal Java classes.21 |
| mobile | T1437 | Standard Application Layer Protocol | Bread communicates with the C2 server using HTTP requests.1 |
| mobile | T1422 | System Network Configuration Discovery | Bread collects the device’s IMEI, carrier, mobile country code, and mobile network code.1 |