Outdated SIM technology threatens billions of subscribers


Reaction score
Researchers have discovered a spyware campaign exploiting SIM card firmware. Attackers use hidden system applications to track the movement of their targets in many countries around the world.

Malicious technology is called Simjacker; Analysts believe that behind it is a professional cyber group that launched the campaign at least two years ago. This method is much more complicated than previously known methods of tracking cellular subscribers, but it requires almost zero investment in infrastructure - all operations are through a simple GSM-modem costing $ 10.

What is Simjacker

The method uses the capabilities of the S @ T Browser utility, which supports the working services of SIM cards (for example, requesting a balance or broadcasting messages from a cellular provider). This application is considered obsolete - the last time it was updated in 2009. However, it is still installed on a large part of the devices.

To establish surveillance of a subscriber, criminals send a special SMS message directly to S @ T Browser to their device. It encoded commands that allow you to secretly perform various operations with the user device. Data exchange occurs without the knowledge of the owner - received and sent messages do not appear on the phone menu.

During the identified attacks, the attackers were interested in the geographical location and IMEI numbers of the target devices. Researchers have determined that this way you can make the phone make a call, send SMS or open a channel for data transfer. As a result, Simjacker provides a range of malicious features, including subscription to paid services, sending SMS and MMS on behalf of the victim, and downloading malware via the phone’s browser.
Threat scale

According to experts, the vulnerable technology is used by mobile operators in 30 countries, which serve a total of a billion subscribers. The detected attacks were aimed at owners of phones Apple, Motorola, Samsung, Google and other major manufacturers. Simjacker can also be used to attack IoT devices with SIM cards.

Researchers do not disclose their assumptions about the organizers of the campaign, specifying only that it is a private organization that works with government agencies. In addition to Simjacker, attackers use well-known exploits based on the SS7 and Diameter protocols.

Authors of attacks monitor hundreds of users daily. Some victims are of particular interest to them - criminals sent several hundred requests per week to their devices. In other cases, this figure did not exceed a few hits per month. This nature of surveillance suggests that the attacks are targeted, and the organizers select the method in accordance with a specific purpose.
How to protect yourself from Simjacker

Providers can protect their subscribers by blocking messages with commands for S @ T Browser. In addition, they can remotely reprogram the SIM cards or completely remove the vulnerable application from them. At the same time, experts call these measures temporary, and only a new approach to protection will ensure real security.

“Mobile operators should understand that existing recommendations are not enough to protect users, since attackers are constantly trying to circumvent these obstacles,” the experts explain. - Providers must constantly monitor suspicious activity [on their networks] in order to find hidden threats. Criminals are no longer just attacking insecure networks - their campaigns are built on a whole range of protocols, software environments and technologies. To block these actions, operators also need to expand their capabilities and increase investments [in information security]. ”

Earlier, experts discovered the ability to secretly change the network settings of Android devices of several world manufacturers. The method allows attackers to replace the server to transfer information to their own and thus gain access to the victim's email, contacts and messages.

Experts also warned that mobile providers earn on the geolocation data of subscribers, selling them to third-party companies. During the experiment, journalists were able to determine the location of the target device with an accuracy of 500 meters, paying about $ 300.