Holy SIMoly! Simjacker: SIM Card Attack Used to Spy on Mobile Phone Users



Researchers at AdaptiveMobile Security, a firm that specializes in cyber telecoms security, have disclosed a new SIM card attack method that could work against over 1 billion mobile phones, and they claim it has already been exploited by a surveillance company to track users.

Dubbed Simjacker, the attack involves sending a specially crafted SMS message to the targeted phone. The message contains SIM Toolkit (STK) instructions and it’s processed by the SIM card (the universal integrated circuit card, or UICC), specifically the S@T Browser present on the SIM.

An attacker could use this method to send a wide range of STK commands to the targeted device, including for playing a tone, sending SMS messages, making phone calls, collecting information about the device (location, IMEI, battery, language), launching a web browser, powering off the card, requesting geographical location, and exfiltrating data.

These commands can allow the attacker to track a user’s location, send arbitrary messages on a victim’s behalf (including to premium-rate numbers for fraud purposes), spy on users, deliver malware by instructing the device’s web browser to access a malicious website, and cause a denial-of-service (DoS) condition.

Doesn't sound like a whole lot one can do about this other than bearing in mind that a SIM card is a necessary condition to carry out an attack.  If you are an at risk individual (e.g. journalist, spy, human rights activist, CEO, politician, etc.) perhaps some attack surface reduction/mitigation tactics along the lines of:
  1. Turning off cellular connectivity when not actually using the phone and use wireless instead
  2. Using a non-cellular iPad like an iPad Mini 5, so you can use email more and SMS text messages less
  3. Using burner phones more and change frequently so perhaps the number you are using is not one as generally known to the outside world
  4. Turning off SMS messaging (if that's possible) whenever it's not absolutely needed to be on

Yikes. Here is the full article at SecurityWeek:


12 Ways to Defeat Multi-Factor Authentication On-Demand Webinar

Webinars19Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, explores 12 ways hackers use social engineering to trick your users into revealing sensitive data or enabling malicious code to run. Plus, he shares a hacking demo by KnowBe4's Chief Hacking Officer, Kevin Mitnick.

Watch the Webinar

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Topics: Cybersecurity

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews