Cybersecurity advisers have warned of a analytical vulnerability in SIM cards that could allow remote attackers to accommodation targeted mobile phones and spy on victims after their ability just by sending an SMS.

Dublin-based firm AdaptiveMobile Aegis said the flaw — dubbed “Simjacker” — has been actively exploited for at least two years by a spyware vendor that works with governments to track individuals. The firm didn’t acknowledge the name of the aggregation nor the individuals who may have been targeted in this way.

Given the attack works across all platforms, the vulnerability demonstrates the accretion composure of threat actors to attenuate arrangement aegis by taking advantage of abstruse tecnologies.

“The attack involves an SMS absolute a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM Card within the phone to ‘take over’ the mobile phone to retrieve and accomplish acute commands,” AdaptiveMobile Aegis said.

The advisers have responsibly appear the flaw to GSM affiliation (GSMA) and SIMalliance, the administering organizations administering mobile operators common and gluttonous to advance the aegis of mobile services.

What is S@T?

The vulnerability resides in what’s called the S@T browser, anchored on most SIM cards as part of SIM Appliance Toolkit (STK) widely used by GSM mobile operators across the world to accommodate value-added casework to customers.


S@T — short for SIMalliance Toolbox Browser — is a microbrowser (aka mobile browser) advised to be used on mobile devices, abnormally on phones that abutment Wireless Appliance Protocol (WAP), a common accepted for accessing the internet since the early 2000s.

The browser — stored as an executable appliance on the SIM card residing inside a GSM mobile phone — offers mobile account providers an alternate means to allow users access web applications such as email, stock prices, news, and sports headlines.

With modern mobile browsers such as Chrome, Firefox, and Safari now able of acknowledging full HTML web pages, WAP — and by addendum S@T — has been deemed abundantly obsolete.

But AdaptiveMobile said it found the S@T browser technology active on mobile operators in at least 30 countries, with a accumulated citizenry of over one billion. That doesn’t automatically make anybody susceptible, as it’s very much accessible that mobile operators are no longer using SIM cards absolute the accessible S@T browser.

Disclosing that the attacks are accident on a daily basis, the advisers also said a few phone numbers had been tracked hundred times over a 7-day period, implying they were high-profile targets.

How does the attack work?

At a high level, the vulnerability works by leveraging a GSM modem — accessible for as cheap as $10 — to send awful letters to handsets that still use the S@T browser functionality in order to activate distinctively crafted STK commands.

The SMS is not the approved kind, but addition flavor called Binary SMS that’s used to bear rich-content, such as ringtones, blast system settings and WAP push text messages.

The device, upon accepting the SMS, blindly passes on the bulletin to the SIM card after aggravation to check its origin, afterward which the SIM card uses the S@T browser to assassinate the command — including requesting area and device advice such as IMEI numbers.

“During the attack, the user is absolutely blind that they accustomed the attack, that advice was retrieved, and that it was auspiciously exfiltrated,” the advisers said.

While the primary attack detected complex the retrieval of mobile phone locations, the scope of Simjacker has appreciably widened to “perform many other types of attacks adjoin individuals and mobile operators such as fraud, scam calls, advice leakage, denial of account and espionage.”

SIMalliance, for its part, has rolled out fresh recommendations to cellular carriers to apparatus additional security for S@T push letters by clarification such adulterine binary SMSes.

As ZDNet notes, Simjacker attacks have been theorized at least since 2011. But this is the first time they have been exploited via complex techniques to enable surveillance.

Read next: It's accessible to monetize data while apropos customer aloofness — here's how