Connect with us

Hi, what are you looking for?


Mobile & Wireless

Researchers Disclose Another SIM Card Attack Possibly Impacting Millions

A new variant of a recently disclosed SIM card attack method could expose millions of mobile phones to remote hacking, researchers have warned.

A new variant of a recently disclosed SIM card attack method could expose millions of mobile phones to remote hacking, researchers have warned.

Earlier this month, cyber telecoms security firm AdaptiveMobile Security disclosed the details of Simjacker, an attack method that involves sending specially crafted SMS messages to the targeted mobile phone.

The attack relies on the fact that these special messages are processed by the legacy S@T Browser present on many SIMs. An attacker could issue commands to conduct various types of activities, including sending SMS messages, making phone calls, launching a web browser, and collecting information about the targeted device, regardless of operating system and manufacturer.

AdaptiveMobile estimated that the attack could work against over 1 billion mobile phones considering that the S@T Browser is present on SIM cards provided by mobile operators in more than 30 countries. The company also claimed that an unnamed organization that helps governments monitor individuals has been using this method for at least two years.

The Simjacker attack method that leverages the S@T Browser was also independently discovered by researchers at Ginno Security Lab, a non-profit cybersecurity organization. Ginno Security Lab has dubbed the method S@Tattack and recently published a blog post describing its findings.

However, Ginno Security Lab has also identified a second SIM card attack method, one that involves the Wireless Internet Browser (WIB), which SmartTrust created for SIM toolkit based browsing. This attack has been dubbed WIBattack.

Similar to the S@T Browser, WIB can be controlled remotely with Over the Air (OTA) SMS messages, which are typically used by mobile operators to provision or change core network settings on a device.

Similar to the S@T Browser attack, a malicious actor could abuse WIB to conduct various activities on a mobile device using specially crafted SMS messages. An attacker can display arbitrary text or an icon on the screen on top of everything else, launch a browser and have it access a specified URL, provide location information, send SMSs, and make phone calls.

Advertisement. Scroll to continue reading.


Both attacks are difficult to detect and stealthy — there is no indication to the victim that their device has been targeted.

However, Ginno Security Lab’s chief researcher, who uses the online moniker Lakatos, told SecurityWeek that more knowledge is needed to exploit WIB compared to the S@T Browser due to the fact that the WIB specification is not documented.

“The process for the researchers to find bytecode/payload of OTA SMS to attack the WIB browser is more difficult than S@T Browser,” Lakatos explained.

The researcher said they discovered these vulnerabilities back in 2015, but the details were kept secret due to the fact that they are very difficult to patch and relatively easy to exploit.

“If the attacker knows one network does not filter OTA SMS, he can launch mass attacks targeting a large number of subscribers of the network,” he noted.

“We are now focusing on finding solutions to protect people against the threats of backdoor applications in SIM cards. We should find a solution to protect subscribers even if we don’t need to know in detail what applications exist in SIM cards,” Lakatos said. “And we are developing a SIM-scanning application that can run on Android OS to help many people who want to know if their SIM card is safe from WIB and S@T or not. We will publish the application on Google Play when we finish it soon.”

In addition to the blog post, Ginno Security Lab created a video showing how the WIBattack works:

Ginno Security Lab has reported its findings to the GSM Association (GSMA), which represents mobile network operators worldwide. GSMA has confirmed for SecurityWeek that it has been made aware of the WIBattack and S@Tattack attacks affecting some SIM cards.

“We are considering the research and its impact with our mobile industry partners and are grateful to the researchers for affording the industry the opportunity to consider their findings,” GSMA said in an emailed statement. “This research is similar to other research recently sent to us under the name ‘Simjacker’. The GSMA has worked with the mobile industry to create guidance for operators and SIM manufacturers to deal with ‘Simjacker’, including how to identify which SIMs are impacted and on ways to mitigate the issue. The GSMA is working with the mobile industry to proactively identify and fix similar issues in other legacy SIM technology.”

GSMA added, “The GSMA welcomes any research that enhances the security and user confidence of mobile services and encourages all researchers to submit their work to our Coordinated Vulnerability Disclosure (CVD) Programme which enables them to share findings and to contribute to industry’s ongoing work to drive security improvements.”

Related: Many Vulnerabilities Found in Oracle’s Java Card Technology

Related: Stolen SIM Card Keys Could be Powerful Spy Tool

Related: Critical Flaw Exposes Mobile Devices, Networks to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.