Simjacker attack exploited in the wild to track users for at least two years

Simjacker attack abuses STK and S@T Browser technologies installed on some SIM cards.
Written by Catalin Cimpanu, Contributor
Simjacker attack
Image: AdaptiveMobile Security

Security researchers have disclosed today an SMS-based attack method being abused in the real world by a surveillance vendor to track and monitor individuals.

"We are quite confident that this exploit has been developed by a specific private company that works with governments to monitor individuals," security researchers from AdaptiveMobile Security said in a report released today.

"We believe this vulnerability has been exploited for at least the last 2 years by a highly sophisticated threat actor in multiple countries, primarily for the purposes of surveillance."

Researchers described this attack as "a huge jump in complexity and sophistication" compared to attacks previously seen over mobile networks and "a considerable escalation in the skillset and abilities of attackers."

How Simjacker works

Simjacker begins with an attacker using a smartphone, a GSM modem, or any A2P (application-to-person) service to send an SMS message to a victim's phone number.

These SMS messages contain hidden SIM Toolkit (STK) instructions that are supported by a device's S@T Browser, an application that resides on the SIM card, rather than the phone.

The S@T Browser and the STK instructions are an old technology supported on some mobile networks and their SIM cards. They can be used to trigger actions on a device, like launching browsers, playing sounds, or showing popups. In the old age of mobile networks, operators used these protocols to send users promotional offers or provide billing information.

But AdaptiveMobile said the Simjacker attacks it observed abused this mechanism to instruct a victim's phones to hand over location data and IMEI codes, which the SIM card would later send via an SMS message to a third-party device, where an attacker would log the victim's location.

Image: AdaptiveMobile Security

To make matters worse, the Simjacker attack is completely silent. Victims don't see any SMS messages inside their inboxes or outboxes. This allows threat actors to continously bombard victims with SMS messages and keep track of their location as they move through the day, week, or month.

Furthermore, because Simjack exploits a technology residing on the SIM card, the attack also works independently of the user's device type.

"We have observed devices from nearly every manufacturer being successfully targeted to retrieve location: Apple, ZTE, Motorola, Samsung, Google, Huawei, and even IoT devices with SIM cards," researchers said.

The only good news is that the attack doesn't rely on regular SMS messages, but more complex binary code, delivered as an SMS, which means network operators should be able to configure their equipment to block such data traversing their networks and reaching client devices.

Active Simjacker attacks detected

Because AdaptiveMobile has not shared the name of the company performing these attacks, it is unclear if this vulnerability is being used to track criminals or terrorists, or abused to track dissidents, journalists, or political opponents.

Nevertheless, AdaptiveMobile said Simjacker attacks are happening on a daily basis, in large numbers.

In most cases, phone numbers are tracked a few times a day, for long periods, rather than multiple times per day.

However, researchers said that a few phone numbers had been tracked hundred times over a 7-day period, suggesting they belonged to high-value targets.

Image: AdaptiveMobile Security

"These patterns and the number of tracking indicates it is not a mass surveillance operation, but one designed to track a large number of individuals for a variety of purposes, with targets and priorities shifting over time," AdaptiveMobile researchers said.

Simjacker is the result of improvements to mobile networks

The mystery remains about who developed this attack, but AdaptiveMobile said the private company was an expert in the field.

"As well as producing this spyware, this same company also have extensive access to the SS7 and Diameter core network, as we have seen some of the same Simjacker victims being targeted using attacks over the SS7 network as well, with SS7 attack methods being used as a fall-back method when Simjacker attacks do not succeed," AdaptiveMobile said.

"We believe that the Simjacker attack evolved as a direct replacement for the abilities that were lost to mobile network attackers when operators started to secure their SS7 and Diameter infrastructure," researchers said.

However, while attacks on the SS7 and Diameter protocols involved deep knowledge of mobile networking protocols and expensive gear, the Simjacker attack is far simpler and cheaper. All it takes is a $10 GSM modem and a victim's phone, researchers said.

Ancient protocol

The vulnerability at the heart of the Simjacker attack should have been easily prevented if mobile operators would have shown some restraint into what code they put on their SIM cards.

"This S@T Browser software is not well known, is quite old, and its initial purpose was to enable services such as getting your account balance through the SIM card," researchers said.

"Globally, its function has been mostly superseded by other technologies, and its specification has not been updated since 2009, however, like many legacy technologies it is still been used while remaining in the background."

AdaptiveMobile said it has seen the S@T Browser technology active on the network of mobile operators in at least 30 countries around the globe. These countries, researchers said, have a cumulative population of over one billion, all of whom are exposed to this silent surveillance method. According to a source who spoke with ZDNet, the impacted countries are in the MENA (Middle East North Africa) region, and a few in Asia and Eastern Europe.

Furthermore, the S@T Browser technology supports more than the commands abused by the attackers -- namely those to retrieve location data and IMEI codes, and send an SMS message.

Other S@T Browser supported commands include the ability to make calls, power off SIM cards, run AT modem commands, open browsers (with phishing links or on sites with exploit code), and more.

AdaptiveMobile warns that this technology and this attack could be useful for more than just surveillance, and other threat actors could soon abuse it as well. For example, Simjacker could also be used for misinformation campaigns (for sending SMS/MMS messages with fake content), financial fraud (dialing premium numbers), espionage (initiating call and listening on nearby conversations), and sabotage (by disabling a target's SIM card), among many others.

In fact, the Simjacker attacks aren't actually new. It's just that a threat actor found a way to weaponize STK instructions. They've been known, at least at the theoretical level, since 2011, when Romanian security researcher Bogdan Alecu first described how a malicious actor could abuse STK commands to subscribe users to premium numbers [1, 2].

The AdaptiveMobile research team will be discussing and presenting more on the Simjacker attacks and their findings at the VirusBulletin 2019 security conference that is going to be held in London, in October, this year.

Updated at 1:00pm ET with info on Alecu's 2011 research on SIM Toolkit (STK) attacks. Title updated accordingly, as this is not actually a "new" attack.

HackerOne's top 20 public bug bounty programs

Editorial standards