Using SMS messaging, attackers can use phishing tactics to hijack mobile devices using a legacy piece of SIM code, called the S@T Browser, to execute commands as part of a more sophisticated attack.
Researchers at Adaptive Mobile Security have announced the discovery of a new mobile phone SIM vulnerability dubbed Simjacker. Believing this vulnerability to be over 2 years old and present on SIM cards in mobile devices in over 30 countries, the potential threat for this new vulnerability is significant.
According to Adaptive, an SMS message is sent to the phone with specific encoding that causes the SIM Card to call on an embedded library called the S@T Browser to process the commands. Location and device information can be exfiltrated, along with remote execution of commands on the mobile device, including:
- Sending outbound SMS messages
- Placing phone calls
- Opening a web page
These kinds of actions could play a role in larger attacks. For example:
- CEO gift card and fraud scams could be initiated via text message
- Outbound calls could be used to listen in on conversations
- Malware could be installed by directing the phone’s browser to a malicious website
This is a very powerful and nasty vulnerability. According to Adaptive, the carriers are working to block such messages, as the text messages don’t require user interaction. But because the attack following the compromise of a mobile device will need to leverage traditional methods of attack (usually involving some form of social engineering), users should be vigilant against attacks coming from mobile text messaging, mobile email, etc.
