Simjacker : Sim Card Spying Android - iPhone

Simjacker : Sim Card Spying Android - iPhone
Content List

Simjacker – Next-Generation Mobile Spying

Today, we're revealing the existence of the Simjacker vulnerability and accompanying exploits. We think a very competent threat actor has been exploiting this vulnerability in numerous nations for at least the past two years, mostly for surveillance reasons. Apart from the effect on its victims, Simjacker and its accompanying exploits seem to be much more complicated and sophisticated than earlier assaults on mobile core networks, according to our investigation. It marks a significant increase in the expertise and capabilities of attackers looking to take advantage of mobile networks.

We'll go through the technical specifics of Simjacker at the Virus Bulletin Conference in London on October 3rd, but in this blog, we'll offer an overview of the assault, how it works, who may be exploiting it, and why it's such a major new sort of attack.

Simjacker : Sim Card Spying Android - iPhone

How Does It Work?

At its most basic level, the primary Simjacker attack is sending an SMS to a mobile phone with a special sort of spyware-like malware, which tells the UICC (SIM Card) inside the phone to 'take over' the phone in order to receive and conduct sensitive orders.

The attack starts when a Simjacker 'Attack Message' is sent to the targeted phone. This Simjacker Attack Message comprises a sequence of SIM Toolkit (STK) instructions and is particularly created to be passed on to the UICC/eUICC (SIM Card) inside the device, and is transmitted from another phone, a GSM Modem, or an SMS transmitting account linked to an A2P account. The attack relies on the existence of a piece of software called the [email protected] Browser on the UICC in order for these instructions to operate. When the UICC receives the Simjacker Attack Message, it leverages the [email protected] Browser library as an execution environment on the UICC to execute logic on the handset. The Simjacker malware running on the UICC seeks location and particular device information (the IMEI) from the phone in the primary assault. After retrieving this data, the Simjacker code on the UICC compiles it and delivers it to a recipient number through another SMS (dubbed the "Data Message"), which is triggered by handset logic. This Data Message is the means by which the attacker may exfiltrate the attacker's location and IMEI information to a distant phone.

The user is totally ignorant that they received the Simjacker Assault message, that information was obtained, and that it was transmitted outwards in the Data Message SMS during the attack - there is no sign in any SMS inbox or outbox.

What makes this attack special and how does it work?

The attack requires both the acceptance of these particular SMS messages and the presence of the [email protected] Browser software on the UICC of the targeted phone. It has already been proven how certain SMS messages targeting UICC cards may be abused for nefarious purposes. The Simjacker assault employs a new technique, depending on the [email protected] Browser software as an execution environment to drastically simplify and broaden the attack. The SIMalliance Toolbox Browser – or [email protected] (pronounced sat) Browser – is a program defined by the SIMalliance that may be loaded on a variety of UICC ( SIM cards), including eSIMs. This [email protected] Browser program isn't well-known, and it's fairly ancient. Its original aim was to provide services like obtaining your account balance through your SIM card. Its purpose has mostly been replaced by newer technologies, and its specification has not been updated since 2009; yet, it is still utilized in the background, as with many old technologies. In this instance, we discovered that cell carriers are using the [email protected] protocol in at least 30 countries with a combined population of over a billion people, possibly affecting a large number of individuals. It's also quite probable that cell providers in other nations will continue to employ the technology on certain SIM cards.

The Simjacker Assault Message might reasonably be regarded as having a whole malware payload, especially spyware, which makes this attack unique. This is due to the fact that it provides a set of instructions for the SIM card to follow. Because software is simply a set of instructions, and malware is 'bad' software, the Simjacker hack might be the first real-world incidence of malware (specifically spyware) being distributed by SMS. Previous SMS spyware, such as the ones we reported here, transmitted links to malware rather than the infection itself inside a whole message.

Location isn't everything

However, the originality and promise of Simjacker does not end there. Retrieving a person's position is one thing, but the attacker might direct the UICC to carry out a variety of different assaults by utilizing the same approach and altering the attack message. This is because the attacker has access to a range* of STK commands when utilizing the same way; some examples of these STK instructions are:




Location, IMEI, Battery, Network, Language, and so on

SEND LAUNCH BROWSER WITH DTMF COMMAND * Note: A number of other proactive STK commands were added above in a previous version of this blog. Following further investigation, it was discovered that these instructions are unlikely to be used, thus they were deleted.

We were able to make targeted smartphones open web browsers, call other phones, send text messages, and so on by utilizing these instructions in our own testing. These attacks might be employed for a variety of objectives, including

Misinformation (for example, via sending SMS/MMS messages with content controlled by the attacker)

Fraudulent activity (e.g. by dialling premium rate numbers),

Spionage is a kind of espionage (as well as the location retrieving attack an attacked device it could function as a listening device, by ringing a number)

The propagation of malware (by forcing a browser to open a web page with malware located on it)

Service interruption (e.g by disabling the SIM card)

retrieval of information (retrieve other information like language, radio type, battery level etc.)

Depending on the handset kind, we may be able to go much farther, which we will cover in our VB2019 presentation. Worryingly, we are not the only ones who have considered these new assaults; we have seen attackers themselves experiment with these varied capabilities in recent weeks and months.

Simjacker – Next-Generation Mobile Spying

Finally, from the attacker's standpoint, another advantage of Simjacker is that many of its assaults seem to operate regardless of handset type, since the vulnerability is based on software on the UICC rather than the device. We've seen smartphones from practically every brand, including Apple, ZTE, Motorola, Samsung, Google, Huawei, and even IoT devices with SIM cards, successfully targeted to retrieve location. One thing to keep in mind is that for certain assaults, the handset type does matter. Some tasks, such as making a phone call, may need human engagement to confirm, however this is not always the case, and older phones or devices without a keyboard or screen (such as IoT devices) may not even ask.

Who's in charge of this?

The next question is: who and why is profiting from this? We are convinced that this exploit was created by a commercial business that collaborates with governments to track people. This same business, in addition to generating spyware, has broad access to the SS7 and Diameter core networks, since we've seen some of the same Simjacker victims targeted with SS7 assaults as well, with SS7 attack techniques being utilized as a fall-back option when Simjacker attacks fail. So far, we've observed Simjacker assaults target phone numbers from a variety of nations, and we're certain that people from other countries have also been targeted. We were able to tie this Simjacker-related SS7 activity with a gang we had previously identified trying to attack targets through SS7 techniques across the globe using our Signalling Intelligence (SIGIL) collection.

Although we have seen bursts of up to 300 phone numbers trying to be followed in a day, the distribution of tracking efforts varies. In one nation, we are seeing about 100-150 unique individual phone numbers being targeted every day through Simjacker assaults. A few high-value phone numbers were tried to be traced hundreds of times during a seven-day period, whereas the majority had far lower volumes. When looking at per-day activity, a similar trend emerged: several phone numbers were targeted frequently over many days, weeks, or months, while others were targeted just once. These trends, as well as the amount of people tracked, suggest that it is not a mass surveillance operation, but rather one that is meant to follow a huge number of people for a variety of reasons, with targets and priorities evolving over time. From this perspective, the 'first use' of the Simjacker technique makes sense, since implementing this type of large-volume monitoring using SS7 or Diameter methods might possibly expose these sources to detection, therefore it's better to save such ways for escalations or when problems arise.

  • Defending Against Attacks and Planning for the Long Run

We, together with the mobile industry, have taken a number of efforts to address this issue.

We've been collaborating with our own mobile operator customers to counteract these assaults, and we appreciate their aid in detecting this behavior.

We also reported to the GSM Association – the trade group representing the mobile operator community - the existence of this vulnerability. The GSMA CVD program has handled this issue, enabling information to be shared throughout the mobile community.

The SIM alliance, a trade group representing the major SIM Card/UICC manufacturers, was also informed, and they issued additional security guidelines for the [email protected] Browser technology.

To cope with the immediate danger, we propose that mobile providers analyze and block suspicious communications including [email protected] Browser instructions. Mobile operators may potentially attempt to adjust the security settings of UICCs in the field remotely, or even uninstall and cease utilizing the [email protected] Browser technology entirely, although this would be far more time-consuming and complex. However, because of the larger consequences of the Simjacker assaults, this is merely a first step.

The fact that Simjacker exists at all suggests that we need to change our thinking about the security of mobile core networks. The Simjacker attack, we think, arose as a direct substitute for the capability that mobile network attackers lost when operators began to safeguard their SS7 and Diameter infrastructure. However, while successful SS7 assaults need particular SS7 knowledge (and access), crafting the Simjacker Attack Message requires a far larger collection of specific SMS, SIM Card, Handset, Sim Toolkit, [email protected] Browser, and SS7 expertise. The attackers' investment definitely paid off, as they now have a technique to control every mobile phone in a specific nation using just a $10 GSM modem and a target phone number. In summary, the arrival of Simjacker shows that mobile operator attackers have spent extensively in new attack methodologies, and as a result of this increased investment and skill set, we should anticipate more of these complicated assaults in the future.

As a result, we in the mobile security sector will need to strengthen our skills as well. This also indicates that relying on current guidelines will not be enough to defend mobile operators, since attackers like these will continue to innovate in order to circumvent whatever measures are put in place. Instead, cellphone providers will have to keep an eye out for unusual and harmful activities in order to spot 'hidden' assaults. Other vulnerabilities and assaults that elude current defenses will undoubtedly be identified and exploited. Operators will need to increase their own abilities and investment in detecting and blocking these attacks as attackers' capabilities have expanded beyond simply exploiting unsecured networks to now cover a very complex mix of protocols, execution environments, and technologies to launch attacks with.

  • The Long Run

In this essay, we've barely scratched the surface of Simjacker. On the 3rd of October 2019, we will present more details on the format of the attacks, what the attackers do to try to evade detection, and how they operate their system, as well as a taste of their reaction after their attacks have been detected and blocked at the Virus Bulletin Conference in London. We'll also discuss how we think these assaults may progress in the future. We anticipate a response to the news being made public, and we will discuss the impact (if any) of the public discoveries on their criminal conduct.

The Simjacker vulnerability represents a massive, almost Stuxnet-like jump in sophistication from prior SMS or SS7/Diameter assaults, demonstrating that the breadth and potential of attacks on core networks is much more than we previously believed. Now is the moment to ensure that we are always one step ahead of these threats.

  • Simjacker is a SIM-based phone hacking application.

Experts at AdaptiveMobile Security have uncovered a way of mobile phone assault that can be carried out using a regular PC and a dirt-cheap USB modem. Unlike certain prior techniques of cellular spying, which needed specific equipment and a telecom operating license, this assault, known as Simjacker, takes use of a SIM card vulnerability.

A carrier menu is available on most SIM cards launched since the early 2000s, including eSIM. This menu has options like Balance Check, Recharge, Technical Support, and sometimes extras like Weather or even Horoscope. It used to be right in the main menu on older phones. It's hidden under Settings (under SIM Application) on iOS, while it's a separate software named SIM Toolkit on Android phones.

The menu is basically an app — or, more accurately, a collection of applications known together as SIM Toolkit (STK) — but these programs operate on the SIM card rather than the phone. Keep in mind that your SIM card is a minicomputer with its own operating system and applications. External orders, such as buttons touched on the carrier menu, trigger STK, which instructs the phone to conduct certain tasks, such as sending SMS messages or USSD commands.

[email protected] Browser is one of the programs included with the STK. It may be used to see Web sites in a specific format as well as pages on the carrier's internal network. [email protected] Browser, for example, may provide information about your account balance.

Although its duties are now provided by other applications in newer smartphones, the [email protected] Browser app has not been updated since 2009, and it is still actively used — or at the very least, is still loaded on numerous SIM cards. Researchers have not cited particular locations or telcos that sell SIM cards with this program installed, but they say that it is used by over 1 billion individuals in 30 countries, and it is in [email protected] Browser that the vulnerability was uncovered.

Attacks of the Simjacker

Attacks of the Simjacker

The assault starts with an SMS message that contains a set of SIM card instructions. Following these instructions, the SIM card asks the phone for its serial number and the Cell ID of the base station in the subscriber's coverage zone, then sends an SMS answer with these information to the attacker's number.

Because the base station coordinates are known (and even accessible online), the Cell ID may be used to pinpoint the subscriber's position to within a few hundred meters. When identifying position without satellite aid, such as inside or when GPS is switched off, location-based services depend on the same idea.

The consumer is completely unaware of any tinkering with the cloned SIM card. Simjacker victims are likely unaware that they are being watched since neither incoming SMS messages with instructions nor answers with device location data are shown in the Messages app.

Who was Simjacker's target?

Spies have been monitoring the whereabouts of persons in many undisclosed nations, according to AdaptiveMobile Security. Every day, roughly 100–150 people are compromised in one of them. Requests are typically issued once a week; however, certain victims' activities are tracked much more thoroughly - the study team discovered that many receivers were receiving hundreds of malicious SMS messages every week.

  • Simjacker-style assaults have a lot of potential.

The attackers did not employ all of the SIM card capabilities available with [email protected] Browser, according to the researchers. SMS may be used to contact any number, send messages with random content to arbitrary numbers, open links in the browser, and even disconnect the SIM card, thus leaving the victim without a phone.

The flaw allows attackers to send money to a bank account through SMS, call premium-rate short lines, visit phishing sites in the browser, or download Trojans.

The vulnerability is especially severe since it is unaffected by the device into which the susceptible SIM card is put; the STK command set is standardized and supported by all phones, including IoT devices with SIM cards. Some devices, such as those used to make phone calls, ask for user approval, while many do not.

How can a user protect themselves against Simjacker attacks?

Unfortunately, there is no stand-alone technique for consumers to protect themselves against SIM card assaults. It is the responsibility of mobile carriers to safeguard the security of their clients. They should also restrict SMS codes carrying harmful instructions and avoid using obsolete SIM menu applications.

However, there is some good news. Although no costly gear is required to carry out the assault, it does need a high level of technical knowledge and unique abilities, implying that the approach is unlikely to be used by every cybercriminal in the world.

Furthermore, the researchers alerted SIMalliance, the developer of [email protected] Browser, of the issue. The business responded by issuing a set of security rules for carriers that use the app. The GSM Association, an international organization that represents the interests of mobile carriers all over the world, was also notified of the Simjacker attacks. As a result, it is anticipated that businesses would take the essential precautions as soon as possible.

  • Your SIM Card Can Be Hacked in Three Ways (And How to Protect It)

The security of your SIM card is jeopardized! Learn how SIM cards may be hijacked and how to keep your phone safe.

You must be informed about new security flaws since new internet dangers emerge on a daily basis. And, because you're reading this, you're presumably aware that your smartphone's operating system has to be updated on a regular basis to keep it safe from attacks.

Surprisingly, though, a SIM card may also be a source of security flaws. We'll show you how hackers may use SIM cards to obtain access to devices, as well as provide you tips on how to keep your SIM card secure.

  • Simjacker is number one on the list.

Security experts at AdaptiveMobile Security stated in September 2019 that they had uncovered a new security vulnerability known as Simjacker. This sophisticated assault targets SIM cards by transmitting spyware-like programs to the target device through SMS.

If a user opens the message, hackers may use the code to monitor their whereabouts and snoop on their calls and texts.

The vulnerability is exploited by utilizing [email protected] Browser, a piece of software that is part of the SIM Application Toolkit (STK) that many phone companies employ on their SIM cards. The SIMalliance Toolbox Browser is a method of connecting to the internet—basically, it's a rudimentary web browser that allows service providers to interface with online services like as email.

The [email protected] Browser is currently seldom used since most people use a browser like Chrome or Firefox on their device. However, a substantial number of devices still have the software installed, making them exposed to the Simjacker assault.

Switching SIM Cards

According to the researchers, the [email protected] protocol is "employed by mobile carriers in at least 30 countries with a combined population of over a billion people," especially in the Middle East, Asia, North Africa, and Eastern Europe.

They also suspected that the exploit was created and exploited by a commercial business that was cooperating with several governments to monitor particular demographics, such as journalists and activists.

Phones of all types, including iPhones and Android smartphones, are susceptible. Simjacker is also compatible with embedded SIM cards (eSIMs).

Switching SIM Cards

SIM card switching is another security concern you may have heard about. In August 2019, hackers tried a variant of this approach to get access to Twitter CEO Jack Dorsey's personal Twitter account. This occurrence brought attention to the devastation that these assaults may cause. Rather than exploiting technological flaws, the method relies on deception and human engineering.

A hacker will initially contact your phone provider in order to do a SIM card exchange. They will pose as you and request a new SIM card. They'll claim they need a new SIM because they wish to upgrade to a new handset. The phone company will provide them the SIM if they are successful.

They may then take your phone number and use it to connect it to their own device. All without having to remove your SIM card!

This has two consequences. Your original SIM card will be disabled and will no longer operate. Second, the hacker now has access over your phone number, including calls, texts, and two-factor authentication requests. This implies they may have enough information to get access to your accounts, and they may be able to lock you out of them as well.

Because it includes social engineering, SIM card switching is difficult to prevent. Hackers must persuade a customer service representative that they are you. They have power over your phone number once they have your SIM. It's possible that you won't even realize you're a target until it's too late.


cloning of SIM cards

Many individuals mistakenly lump SIM changing and SIM cloning into the same category. SIM cloning, on the other hand, requires more effort than the other method.

In a SIM clone attack, the hacker acquires physical access to your SIM card before creating a duplicate of it. Naturally, the hacker will remove your SIM card from your smartphone before duplicating it.

They accomplish this with the use of smart card copying software, which replicates your unique identifying number from your SIM card onto a blank SIM card.

The hacker will next use their smartphone to insert the freshly duplicated SIM card. Consider your unique SIM card identification to be gone after this procedure is completed.

The hacker can now listen in on all of your phone's communications, just as they do with SIM shifting. They now have access to your two-factor authentication credentials, allowing them to access your social media accounts, email addresses, card and bank accounts, and more.

Hackers may potentially exploit your stolen SIM card identity to commit fraud requiring a unique phone number.

How to Protect Your SIM Card

If you wish to safeguard your SIM card against assaults like these, there are a few steps you may take.

Protecting Against Socially Engineered Attacks is the first step.

Make it difficult for hackers to gather information about you to safeguard against SIM card swaps. Hackers will utilize information about you that they obtain online, such as your address or the names of your friends and relatives. This information can help you persuade a customer service representative that you are who you say you are.

Set your Facebook profile to friends-only and minimize the public information you publish on other sites to keep this information safe. Also, to avoid becoming the victim of a hack, remember to erase outdated accounts that you no longer use.

  • On a mobile smartphone, a person is texting.

Another approach to avoid SIM card swaps is to avoid phishing scams. Hackers may attempt to phish you in order to get further information that they may use to clone your SIM. Keep an eye out for phishing emails or login sites. Always be cautious about where you submit your login information for each account you use.

Finally, think about the two-factor authentication mechanisms you use. Some two-factor authentication providers will deliver an authentication code through SMS to your smartphone. This implies that even if you have two-factor authentication enabled, hackers may access your accounts if your SIM is hacked.

Use a different authentication mechanism, such as the Google Authentication app, instead. Because the authentication is related to your device rather than your phone number, it's more secure against SIM card swaps.

  • Use a SIM card to unlock a gate that has been locked.

You should also put up certain precautions on your SIM card to protect yourself against SIM assaults. Adding a PIN number is the most crucial security action you can take. This manner, anybody who wants to replace your SIM card will require your PIN number.

Before you set up a SIM card lock, make sure you know the PIN number your network operator has given you. To enable it, go to Options > Lock screen and security > Other security settings > Set up SIM card lock on an Android handset. Then you may turn on the Lock SIM card slider.

Go to Settings > Cellular > SIM PIN on an iPhone. Go to Settings > Mobile Data > SIM PIN on an iPad. The SIM lock will then be enabled when you confirm your current PIN.

  • Additional Security Advice

As usual, you should create strong passwords that are unique to you. Don't use the same password for several accounts or reuse outdated passwords.

Also, make sure your password recovery questions don't reveal information about your mother's maiden name.

Defend Your Device Against SIM-Based Attacks

Mobile device hacking is becoming increasingly sophisticated. There are ways to defend yourself from such attacks, such as keeping your personal information private and using a SIM card lock.

Phones, on the other hand, are becoming more secure than they once were, and you can always check to see if yours has been hacked. To further protect yourself from malicious behavior, make use of the security options available to you.

web site: SPY24