S0432: Bread

Bread was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store’s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.[1]

MobileS0432MalwareObject v1.2 Modified Apr 16, 2025, 21:22 UTC (UTC+00:00)

Bread is an Android malware family documented for large-scale billing fraud and for repeatedly changing how it hid from Google Play Store malware detection. For leaders, the practical issue is not just one malware name; it is the mobile risk pattern: fraudulent billing, evasive app behavior, runtime code loading, and abuse of SMS, notifications, and web traffic can undermine user trust, create financial exposure, and complicate mobile incident response.

Executive priority

Treat Bread as a useful test case for mobile application governance and managed detection readiness. Executives should ask whether corporate Android devices are limited to trusted app sources, whether mobile app permissions and runtime behavior are monitored, and whether fraud-relevant telemetry such as SMS activity, notification access, and unusual outbound web traffic is available during an investigation. Because ATT&CK provides no official detection text for this object, coverage should be validated with local controls and evidence rather than assumed from signature or app-store screening alone.

Technical view

Bread is listed for Android and is related to obfuscation, software packing, downloading new code at runtime, network configuration discovery, web-protocol communications, notification access, native API use, SMS message access, and generating traffic from the victim. SOC, detection engineering, and IR teams should validate whether mobile security tooling can inspect packed or obfuscated APKs, identify apps that fetch and execute code after installation, review sensitive permission use, and correlate outbound web or SMS activity with app identity. Since no tactics or official detection guidance are supplied, analysis should be behavior-led and scoped to Android telemetry available in the environment.

Likely telemetry

Android application inventory and installation source data
APK/static analysis results for obfuscation or packing indicators
Runtime behavior showing downloaded code or dynamically loaded components
App permission grants related to SMS, notifications, network access, and native code use
Outbound HTTP/HTTPS traffic metadata associated with mobile applications

Detection direction

Validate that mobile controls do not rely only on known signatures, because the supplied description emphasizes cloaking, obfuscation, and evasion of app-store malware detection.
Hunt for Android apps with sensitive permissions plus runtime code download behavior, especially when paired with unusual outbound web traffic or SMS-related activity.
Review alerts for packed or heavily obfuscated APKs, but tune for legitimate packed applications to reduce false positives.
Correlate app identity, permissions, installation source, network destinations, and user/device context before escalating, since the ATT&CK object does not provide specific indicators.
Assess whether notification access and SMS telemetry are collected at all; these are common blind spots because mobile platforms and privacy constraints may limit visibility.

Mitigation priorities

Prioritize Android app governance: restrict unapproved app sources, maintain mobile device compliance controls, and enforce enterprise application allowlisting where appropriate.
Review and minimize high-risk permissions for managed devices, especially SMS, notification access, and broad network behavior.
Use mobile threat defense, EMM/MDM, or equivalent controls to surface suspicious app behavior such as runtime code loading, obfuscation, and anomalous traffic generation.
Prepare IR playbooks for mobile billing-fraud scenarios, including device isolation, app removal, billing review, and evidence preservation.
Use this behavior as audit evidence for mobile security control validation, not as proof of coverage without telemetry review.

Analyst notes and limits

The strongest decision value in this object comes from the relationship set: Bread is associated with Android-focused evasion, runtime loading, web communications, SMS/notification access, native API use, and traffic generation. Those behaviors point defenders toward mobile telemetry validation and fraud-response readiness rather than a single indicator-driven detection approach.

ATT&CK provides no official detection text, no tactics, no aliases, and no supplied indicators for this object. The assessment is limited to the official description, external references, platform field, and listed relationships. Local device management architecture, privacy constraints, mobile security tooling, and carrier/billing data availability will determine actual detection and response capability.

Official MITRE ATT&CK definition

Bread

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 9 rows

Domain	ID	Name	Relationship / procedure
Mobile	T1406.002	Software Packing Sub-technique	Bread payloads have used several commercially available packers.CitationGoogle Bread
Mobile	T1517	Access Notifications	Bread can collect device notifications.CitationCheck Point-Joker
Mobile	T1636.004	SMS Messages Sub-technique	Bread can access SMS messages in order to complete carrier billing fraud.CitationGoogle Bread
Mobile	T1407	Download New Code at Runtime	Bread has utilized JavaScript within WebViews that loaded a URL hosted on a Bread-controlled server which provided functions to run. Bread downloads billing fraud execution steps at runtime.CitationGoogle Bread
Mobile	T1406	Obfuscated Files or Information	Bread uses various tricks to obfuscate its strings including standard and custom encryption, programmatically building strings at runtime, and splitting unencrypted strings with repeated delimiters to break up keywords. Bread has also abused Java and JavaScript features to obfuscate code. Bread payloads have hidden code in native libraries and encrypted JAR files in the data section of an ELF file. Bread has stored DEX payloads as base64-encoded strings in the Android manifest and internal Java classes.CitationCheck Point-JokerCitationGoogle Bread
Mobile	T1422	System Network Configuration Discovery	Bread collects the device’s IMEI, carrier, mobile country code, and mobile network code.CitationGoogle Bread
Mobile	T1437.001	Web Protocols Sub-technique	Bread communicates with the C2 server using HTTP requests.CitationGoogle Bread
Mobile	T1643	Generate Traffic from Victim	Bread can perform SMS fraud on older versions of the malware, and toll fraud on newer versions.CitationGoogle Bread
Mobile	T1575	Native API	Bread has used native code in an attempt to disguise malicious functionality.CitationGoogle Bread

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.2
Created: May 4, 2020, 14:04 UTC (UTC+00:00)
Modified: Apr 16, 2025, 21:22 UTC (UTC+00:00)
Raw hash: 826f19203729cf68...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.2	Apr 16, 2025, 21:22 UTC (UTC+00:00)	Current bundle	`826f19203729…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Google Bread

A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.
Open source URL
[2]
Joker

(Citation: Google Bread)
[3]
mitre-attack S0432
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use