SIM Card Attack May Affect Over 1 Billion Mobile Phones Worldwide

Using SMS messaging, attackers can use phishing tactics to hijack mobile devices using a legacy piece of SIM code, called the S@T Browser, to execute commands as part of a more sophisticated attack.Businesswoman holding tablet pc entering password. Security concept

Researchers at Adaptive Mobile Security have announced the discovery of a new mobile phone SIM vulnerability dubbed Simjacker. Believing this vulnerability to be over 2 years old and present on SIM cards in mobile devices in over 30 countries, the potential threat for this new vulnerability is significant.

According to Adaptive, an SMS message is sent to the phone with specific encoding that causes the SIM Card to call on an embedded library called the S@T Browser to process the commands. Location and device information can be exfiltrated, along with remote execution of commands on the mobile device, including:

  • Sending outbound SMS messages
  • Placing phone calls
  • Opening a web page

These kinds of actions could play a role in larger attacks. For example:

  • CEO gift card and fraud scams could be initiated via text message
  • Outbound calls could be used to listen in on conversations
  • Malware could be installed by directing the phone’s browser to a malicious website

This is a very powerful and nasty vulnerability. According to Adaptive, the carriers are working to block such messages, as the text messages don’t require user interaction. But because the attack following the compromise of a mobile device will need to leverage traditional methods of attack (usually involving some form of social engineering), users should be vigilant against attacks coming from mobile text messaging, mobile email, etc.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews