Simjacker: Critical SMS-based vulnerability that can spy on mobile phone users reported

• Researchers have discovered an SMS-based vulnerability that allows the tracking of mobile phone locations.
• Named Simjacker, this vulnerability is said to have been exploited for at least the past two years in multiple countries.

The backdrop

AdaptiveMobile Security has released a report about the existence of a new vulnerability named Simjacker and the related exploits.

• The vulnerability is in the S@T (SIMalliance Toolbox) Browser dynamic SIM toolkit that most SIM cards use.
• An observation that has caused high levels of concern is that the victim has almost no indication of being spied upon. This vulnerability has also been exploited for at least two years with victims in many countries.
• Simjacker can be exploited in devices from multiple manufacturers including Apple, Google, Samsung, and Motorola.

“Other than the impact on its victims, from our analysis, Simjacker and its associated exploits is a huge jump in complexity and sophistication compared to attacks previously seen over mobile core networks,” say the researchers.

How does the Simjacker work?

The Simjacker attack is initiated by sending an SMS with hidden SIM Toolkit (STK) instructions to the targeted SIM card.

• The S@T browser, a mechanism in SIM cards is abused to receive the victim’s location and IMEI number.
• The attack is undetected by the victim because there is no record of the SMS in the inbox or outbox.
• After the initial infiltration, the victim’s location is tracked by sending SMS messages at regular intervals.
• Simjacker commands may also cause the affected mobile phone to make calls, power off the card, send multimedia messages, and various other actions.

Simjacker exploitation could allow attackers to spread malware, conduct espionage, and fraud among other malicious activities. The fact that this exploitation is independent of the mobile devices is a huge advantage to the criminals behind such attacks.

Who is responsible for Simjacker attacks?

Researchers have their reasons to believe that a private company that works with the government to monitor citizens is behind this attack. It has been observed that the priorities in tracking different phone numbers keep shifting.

What to watch

AdaptiveMobile Security has announced it will share more details about Simjacker at the Virus Bulletin Conference in London on October 3, 2019.