Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Majority of Simjacker Attacks Aimed at Mobile Phones in Mexico

Researchers believe hundreds of millions of SIM cards may be vulnerable to Simjacker attacks after determining that the targeted technology, despite being very old, is still used by at least 61 mobile operators across 29 countries.

Researchers believe hundreds of millions of SIM cards may be vulnerable to Simjacker attacks after determining that the targeted technology, despite being very old, is still used by at least 61 mobile operators across 29 countries.

AdaptiveMobile Security, a firm that specializes in cyber telecoms security, last month warned of a new SIM card attack method dubbed Simjacker. Simjacker involves sending specially crafted SMS messages to the targeted phone and it can be used to instruct the device to play a tone, send text messages, make phone calls, provide system information, launch a web browser, provide geographical information, and exfiltrate data.

An attacker can use Simjacker to track a user’s location, send SMS messages or make calls on the victim’s behalf, spy on users, deliver malware by opening malicious websites, and cause a denial-of-service (DoS) condition on the phone.

The Simjacker attack presented by AdaptiveMobile Security leverages a piece of legacy software still present on many SIM cards, the S@T Browser. The S@T Browser processes special SIM Toolkit (STK) instructions contained in SMS messages.

Despite not being updated since 2009, S@T Browser is still deployed by a significant number of mobile operators around the world. Tests conducted by AdaptiveMobile showed that the technology is present on SIM cards provided by at least 61 companies across 29 countries.

Affected regions and countries include most of South and Central America, Mexico, a small part of West Africa, Italy, Bulgaria, and the Middle East. While it’s difficult to determine exactly how many SIM cards are vulnerable to attacks, AdaptiveMobile estimates “mid to high hundreds of millions”. On the other hand, the company has pointed out that some operators may have deployed protections against these types of attacks on the network side and it’s possible that not all of their SIMs have S@T Browser.

Countries vulnerable to Simjacker attacks

AdaptiveSecurity says it has seen Simjacker attacks being launched in the past two years, likely by a surveillance company that offers its monitoring services to governments. A majority of the attacks were aimed at individuals in Mexico, with some exploitation attempts observed in Colombia and Peru.

The same threat actor has been known to launch attacks exploiting weaknesses in the SS7 international telecommunications standard.

Advertisement. Scroll to continue reading.

“The complexity of the attacks, and the fact that it has access to multiple sources, means that it is in use by a complex, advanced entity with a wide range of skills, experience and resources. This matches the specific SS7 threat actor, who in our experience operate one of the biggest and most active SS7 attack ‘platform’ that we have observed in the world,” AdaptiveMobile said in a research paper.

The company noted, “We have more specific information on which surveillance company it could potentially be, but unfortunately, we are not able to reveal this information. To do so would reveal specific methods and information which would damage our ability to detect and block these attacks globally.”

Researchers from Ginno Security Lab recently disclosed another variant of the Simjacker attack, one involving the Wireless Internet Browser (WIB), which SmartTrust created for SIM toolkit browsing.

This method is similar to the S@T Browser attack — it allows the attacker to conduct the same type of activities and it’s also stealthy — but it’s more difficult to carry out.

However, data collected by AdaptiveMobile shows that WIB with no security mechanisms is only used by 8 operators across 7 countries in Eastern Europe, Asia, Central America and West Africa. Nevertheless, a few hundred million SIM cards may still be impacted. AdaptiveMobile says it’s not aware of any attacks targeting WIB.

Related: Many Vulnerabilities Found in Oracle’s Java Card Technology

Related: Stolen SIM Card Keys Could be Powerful Spy Tool

Related: Critical Flaw Exposes Mobile Devices, Networks to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.