{"description": "Mobile techniques used by Bread, ATT&CK software S0432 (v1.2)", "name": "Bread (S0432)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1517", "comment": "[Bread](https://attack.mitre.org/software/S0432) can collect device notifications.(Citation: Check Point-Joker)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1437", "showSubtechniques": true}, {"techniqueID": "T1437.001", "comment": "[Bread](https://attack.mitre.org/software/S0432) communicates with the C2 server using HTTP requests.(Citation: Google Bread)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1407", "comment": "[Bread](https://attack.mitre.org/software/S0432) has utilized JavaScript within WebViews that loaded a URL hosted on a Bread-controlled server which provided functions to run. [Bread](https://attack.mitre.org/software/S0432) downloads billing fraud execution steps at runtime.(Citation: Google Bread)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1643", "comment": "[Bread](https://attack.mitre.org/software/S0432) can perform SMS fraud on older versions of the malware, and toll fraud on newer versions.(Citation: Google Bread)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1575", "comment": "[Bread](https://attack.mitre.org/software/S0432) has used native code in an attempt to disguise malicious functionality.(Citation: Google Bread)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1406", "comment": "[Bread](https://attack.mitre.org/software/S0432) uses various tricks to obfuscate its strings including standard and custom encryption, programmatically building strings at runtime, and splitting unencrypted strings with repeated delimiters to break up keywords. [Bread](https://attack.mitre.org/software/S0432) has also abused Java and JavaScript features to obfuscate code. [Bread](https://attack.mitre.org/software/S0432) payloads have hidden code in native libraries and encrypted JAR files in the data section of an ELF file. [Bread](https://attack.mitre.org/software/S0432) has stored DEX payloads as base64-encoded strings in the Android manifest and internal Java classes.(Citation: Check Point-Joker)(Citation: Google Bread)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1406.002", "comment": "[Bread](https://attack.mitre.org/software/S0432) payloads have used several commercially available packers.(Citation: Google Bread)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "[Bread](https://attack.mitre.org/software/S0432) can access SMS messages in order to complete carrier billing fraud.(Citation: Google Bread)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1422", "comment": "[Bread](https://attack.mitre.org/software/S0432) collects the device\u2019s IMEI, carrier, mobile country code, and mobile network code.(Citation: Google Bread)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Bread", "color": "#66b1ff"}]}