Simjacker Vulnerability- A Next Generation Spying Over Mobile

Note: This article’s motive is just to create the awareness about simjacker.

Today we are talking about the existence of the vulnerability Simjacker. We believe this vulnerability has been exploited for at least the last two years by a highly sophisticated threat actor in multiple countries, primarily for the purposes of surveillance. Simjacker and its associated exploits is a huge jump in complexity and sophistication compared to attacks previously seen over mobile core networks.

While sending a text message sounds simple, Adaptive Mobile says Simjacker is a very complex and sophisticated attack. The attacker can initiate Simjacker from any smartphone capable of sending SMS messages. These messages include a hidden Sim Toolkit instruction package that interacts with the S@T Browser. The S@T Browser doesn’t exist on all SIM cards of mobile carriers, but it can be used to perform actions like launching websites or playing sounds. These are rarely used anymore, but carriers used to push ads and billing information via the S@T Browser. Simjacker abuses this system by telling the phone to provide the phone’s IMEI and network-based location data.

 The Simjacker attack affects an SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM Card within the phone to ‘take over’ the mobile phone to retrieve and perform sensitive commands. The location information of thousands of devices was obtained over time without the knowledge or consent of the targeted mobile phone users. During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully exfiltrated. However the Simjacker attack can, and has been prolonged further to perform additional types of attacks.

Example of how Simjacker can track mobile phone location of vulnerable subscribers

How this Attack work and why is it Special?

The attack relies both on these specific SMS messages being allowed, and the S@T Browser software being present on the UICC (Sim Card) in the victim phone. Specific SMS messages targeting UICC cards have been demonstrated before on how they could be exploited for malicious purposes. The Simjacker attack takes a different approach, and greatly simplifies and expands the attack by relying on the S@T Browser software as an execution environment. The S@T (pronounced sat) Browser – or SIMalliance Toolbox Browser to give it its full name – is an application specified by the SIMalliance, and can be installed on a variety of UICC (SIM cards), including eSIMs. This S@T Browser software is not well known is quite old and its initial purpose was to enable services such as getting your account balance through the SIM card. Globally, its function has been mostly superseded by other technologies, and its specification has not been updated since 2009, however, like many legacy technologies it is still been used while remaining in the background. In this case we have observed the S@T protocol being used by mobile operators in at least 30 countries whose cumulative population adds up to over a billion people, so a sizable amount of people are potentially affected. It is also highly likely that additional countries have mobile operators that continue to use the technology on specific SIM cards.

This attack is also unique, in that the Simjacker Attack Message could logically be classified as carrying a complete malware payload, specifically spyware. This is because it contains a list of instructions that the SIM card is to execute. As software is essentially a list of instructions, and malware is ‘bad’ software, then this could make the Simjacker exploit the first real-life case of malware (specifically spyware) sent within a SMS. Previous malware sent by SMS - such as the incidents we have involved sending links to malware, not the malware itself within a complete message.

These attacks could be used to fulfil such purposes as

· Mis-information (e.g. by sending SMS/MMS messages with attacker controlled content)

· Fraud (e.g. by dialling premium rate numbers),

· Espionage (as well as the location retrieving attack an attacked device it could function as a listening device, by ringing a number),

· Malware spreading (by forcing a browser to open a web page with malware located on it)

· Denial of service (e.g by disabling the SIM card)

· Information retrieval (retrieve other information like language, radio type, battery level etc.)

The Scale of the Simjacker Vulnerability and Attacks

Simjacker has been further exploited to perform many other types of attacks against individuals and mobile operators such as fraud, scam calls, information leakage, denial of service and espionage. Adaptive Mobile Security Threat Intelligence analysts observed the hackers vary their attacks, testing many of these further exploits. In theory, all makes and models of mobile phone are open to attack as the vulnerability is linked to a technology embedded on SIM cards. The Simjacker vulnerability could extend to over 1 billion mobile phone users globally, potentially impacting countries in the Americas, West Africa, Europe, Middle East and indeed any region of the world where this SIM card technology is in use.

Stopping the attacks and building long-term defences

We are quite confident that this exploit has been developed by a specific private company that works with governments to monitor individuals. Adaptive Mobile Security has been working closely with their customers and the wider industry; including both mobile network operators and SIM card manufacturers to protect mobile phone subscribers. We have blocked attacks and are committed to using our global threat intelligence to build defences against these new sophisticated attacks that are circumventing current security measures.

In order to deal with this vulnerability, we and the mobile industry have been taking a number of steps.

1. We have been working with our own mobile operator customers to block these attacks, and we are grateful to their assistance in helping detect this activity.

2. We also communicated to the GSM Association – the trade body representing the mobile operator community - the existence of this vulnerability. This vulnerability has been managed through the GSMA CVD program, allowing information to be shared throughout the mobile community.

3. As part of this, information was also shared to the SIM alliance, a trade body representing the main SIM Card/UICC manufacturers and they have made new security recommendations for the S@T Browser technology.

In general, our recommendations for the mobile community to deal with the immediate threat is for mobile operators to analyse and block suspicious messages that contain S@T Browser commands. Mobile Operators could also try to change the security settings of UICCs in the field remotely, or even uninstall and stop using the S@T Browser technology completely, but this may be slower and considerably more difficult to do. However, this is very much only a first step, due to the greater implications of the Simjacker attacks.