Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Researchers Disclose Another SIM Card Attack Possibly Impacting Millions

A new variant of a recently disclosed SIM card attack method could expose millions of mobile phones to remote hacking, researchers have warned.

A new variant of a recently disclosed SIM card attack method could expose millions of mobile phones to remote hacking, researchers have warned.

Earlier this month, cyber telecoms security firm AdaptiveMobile Security disclosed the details of Simjacker, an attack method that involves sending specially crafted SMS messages to the targeted mobile phone.

The attack relies on the fact that these special messages are processed by the legacy [email protected] Browser present on many SIMs. An attacker could issue commands to conduct various types of activities, including sending SMS messages, making phone calls, launching a web browser, and collecting information about the targeted device, regardless of operating system and manufacturer.

AdaptiveMobile estimated that the attack could work against over 1 billion mobile phones considering that the [email protected] Browser is present on SIM cards provided by mobile operators in more than 30 countries. The company also claimed that an unnamed organization that helps governments monitor individuals has been using this method for at least two years.

The Simjacker attack method that leverages the [email protected] Browser was also independently discovered by researchers at Ginno Security Lab, a non-profit cybersecurity organization. Ginno Security Lab has dubbed the method [email protected] and recently published a blog post describing its findings.

However, Ginno Security Lab has also identified a second SIM card attack method, one that involves the Wireless Internet Browser (WIB), which SmartTrust created for SIM toolkit based browsing. This attack has been dubbed WIBattack.

Similar to the [email protected] Browser, WIB can be controlled remotely with Over the Air (OTA) SMS messages, which are typically used by mobile operators to provision or change core network settings on a device.

Similar to the [email protected] Browser attack, a malicious actor could abuse WIB to conduct various activities on a mobile device using specially crafted SMS messages. An attacker can display arbitrary text or an icon on the screen on top of everything else, launch a browser and have it access a specified URL, provide location information, send SMSs, and make phone calls.


Both attacks are difficult to detect and stealthy — there is no indication to the victim that their device has been targeted.

However, Ginno Security Lab’s chief researcher, who uses the online moniker Lakatos, told SecurityWeek that more knowledge is needed to exploit WIB compared to the [email protected] Browser due to the fact that the WIB specification is not documented.

“The process for the researchers to find bytecode/payload of OTA SMS to attack the WIB browser is more difficult than [email protected] Browser,” Lakatos explained.

The researcher said they discovered these vulnerabilities back in 2015, but the details were kept secret due to the fact that they are very difficult to patch and relatively easy to exploit.

“If the attacker knows one network does not filter OTA SMS, he can launch mass attacks targeting a large number of subscribers of the network,” he noted.

“We are now focusing on finding solutions to protect people against the threats of backdoor applications in SIM cards. We should find a solution to protect subscribers even if we don’t need to know in detail what applications exist in SIM cards,” Lakatos said. “And we are developing a SIM-scanning application that can run on Android OS to help many people who want to know if their SIM card is safe from WIB and [email protected] or not. We will publish the application on Google Play when we finish it soon.”

In addition to the blog post, Ginno Security Lab created a video showing how the WIBattack works:

Ginno Security Lab has reported its findings to the GSM Association (GSMA), which represents mobile network operators worldwide. GSMA has confirmed for SecurityWeek that it has been made aware of the WIBattack and [email protected] attacks affecting some SIM cards.

“We are considering the research and its impact with our mobile industry partners and are grateful to the researchers for affording the industry the opportunity to consider their findings,” GSMA said in an emailed statement. “This research is similar to other research recently sent to us under the name ‘Simjacker’. The GSMA has worked with the mobile industry to create guidance for operators and SIM manufacturers to deal with ‘Simjacker’, including how to identify which SIMs are impacted and on ways to mitigate the issue. The GSMA is working with the mobile industry to proactively identify and fix similar issues in other legacy SIM technology.”

GSMA added, “The GSMA welcomes any research that enhances the security and user confidence of mobile services and encourages all researchers to submit their work to our Coordinated Vulnerability Disclosure (CVD) Programme which enables them to share findings and to contribute to industry’s ongoing work to drive security improvements.”

Related: Many Vulnerabilities Found in Oracle’s Java Card Technology

Related: Stolen SIM Card Keys Could be Powerful Spy Tool

Related: Critical Flaw Exposes Mobile Devices, Networks to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.