Adaptive Mobile -- the cyber-security company that discovered the Simjacker attack -- published today a list of countries where local mobile operators ship SIM cards vulnerable to Simjacker.
The list includes 29 countries across five continents, albeit Adaptive Mobile did not list which telco providers are vulnerable in each:
Central America: Mexcio Guatemala Belize Dominican Republic El Salvador Honduras Panama Nicaragua Costa Rica
South America: Brazil Peru Colombia Ecuador Chile Argentina Uruguay Paraguay
Africa: Ivory Coast Ghana Benin Nigeria Cameroon
Europe: Italy Bulgaria Cyprus
Asia: Saudi Arabia Iraq Lebanon Palestine
What is Simjacker
The Simjacker attack was publicly disclosed in mid-September. The attack exploits SIM cards that come with a pre-installed Java applet named the S@T Browser.
If the mobile operator forgot to configure the "security level" of an S@T Browser app installed on its SIM cards, anyone could send a specially formatted binary SMS (called an OTA SMS) to a user's phone number and run malicious commands without the user's knowledge -- such as tracking the device's location, sending SMS messages, opening a browser, and more.
In September, Adaptive Mobile said the attack had been used in the real world but deferred offering additional details until this month, when its security researchers where scheduled to present the results of the Simjacker investigation at the Virus Bulletin 2019 security conference.
Simjacker attacks spotted in Mexico, Colombia, and Peru.
Now that the security conference has come and gone, the company kept its promise and provided more details about the Simjacker attacks it observed in the wild.
But besides listing all the countries where mobile operators have misconfigured SIM cards and have left the S@T Browser app open to attacks, Adaptive Mobile also revealed the countries where it detected attacks.
These are Mexico, Colombia, and Peru.
Even though Simjacker allowed for a broad spectrum of operations, Adaptive Mobile said the attack had only been used to track users' locations, and nothing more.
The cyber-security company also said it found evidence that Simjacker was developed by a company that sells surveillance software to governments across the world.
"We have not named the specific company that we believe is responsible, as to do so, we would need to release some additional proof," Adaptive Mobile said in a blog post published today. "That proof would also reveal specific methods and information that would impact our ability to protect subscribers."
Despite Simjacker being a very scary attack, the company calls for calm.
"The 'average' person is not likely to be targeted," it said, "the main targets are probably those that are of interest to nation-state customers."
But for those who need assurances, SRLabs updated its SIMTester app last month to support Simjacker scans. The app will be able to tell users if they have the S@T Browser app installed on their SIM card, and if the app has been misconfigured and left vulnerable to Simjacker attacks.
Fewer users vulnerable to WIBattack
In addition, Adaptive Mobile also looked into WIBattack, a Simjacker-like attack that was disclosed at the end of September, and which works in the same way, but targets the WIB app installed on SIM cards, instead of S@T Browser.
After conducting their own tests, Adaptive Mobile said that the number of countries and mobile operators vulnerable to WIBattack is far smaller compared to the ones vulnerable to Simjacker -- 8 operators in 7 countries, compared to 61 operators in 29 countries.