A private company has been drilling into a vulnerability in mobile SIM cards for the past two years to help governments snoop on targeted individuals, said researchers at Adaptive Mobile Security. Named ‘SimJacker’, this vulnerability could extend to over one billion mobile phone users globally, and its exploit is ongoing, they said in a report.

“Simjacker and its associated exploits is a huge jump in complexity and sophistication compared to attacks previously seen over mobile core networks,” said the report.

How SimJacker attack starts?

The attack starts when an SMS containing a specific type of spyware-like code is sent to a mobile phone. The code commandeers the SIM card to retrieve and perform sensitive commands.

“The location information of thousands of devices was obtained over time without the knowledge or consent of the targeted mobile phone users. During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully exfiltrated,” said the report.

“However, the Simjacker attack can and has been extended further to perform additional types of attacks.”

The damage sustained depends on the intention of the hacker and the intensity of the attack, the report explained.

“Simjacker has been further exploited to perform many other types of attacks against individuals and mobile operators, such as fraud, scam calls, information leakage, denial of service, and espionage,” it said. 

“In theory, all makes and models of mobile phones are open to attack as the vulnerability is linked to a technology embedded on SIM cards. The Simjacker vulnerability could extend to over one billion mobile phone users globally, potentially impacting countries in the Americas, West Africa, Europe, Middle East and indeed any region of the world where this SIM card technology is in use.”

The cyber-security company did not disclose the origin of the attacks but said it was “quite confident” that the exploit had been developed by a “specific private company” that works with governments to monitor individuals.

This move is hardly surprising, observed Sam Curry, chief security officer at Cybereason.

“AdaptiveMobile’s espionage discovery shouldn’t surprise mobile carriers or phone users, as the attack surface is increasing both from a corporate and consumer information standpoint, and hackers are clearly taking advantage of it,” he explained.

Similar instances have come to light in the past few months. The most common instance was SIM jacking, where someone impersonates a mobile phone customer and requests that person’s cellular provider in order to steal the cell phone number. The usual targets are cryptocurrency users, whose verification key is their mobile numbers.

Threat actors gained unauthorized access to an undisclosed number of Sprint customer accounts in the US in June via a compromised Samsung website.

“If a malicious actor has access to the appropriate provider information, they can co-opt the user’s account either through the porting process or by simply obtaining a replacement SIM,” Tim Mackey, principal security strategist at Synopsys, told SC Media UK after the Sprint incident.

“Once ported, the replacement device will receive all cellular messages, such as SMS. This can facilitate attacks where SMS is used as part of a two-factor identification strategy,” he added.

With ‘SimJacker’, the situation has gone to a stage where the information is seeped out without the knowledge or consent of the users. This is another example of individuals being hacked and the victims having no idea their personal information is being compromised, said Cybereason’s Curry.

Cybereason disclosed in June that hackers have infiltrated the networks of at least ten major global telecom service providers and remained undetected for years, according to cyber-security research firm Cybereason.

The move was part of a long-running snooping on targets such as military officials, dissidents, spies, and law enforcement officials across Asia, Europe, Africa and the Middle East, said the cyber-security company. The attack range of SimJacker also shows a similar pattern.

According to Curry, wide-scale mobile attacks of this nature will keep cropping up.

“Hackers using the low and slow attack paradigm have a higher success rate of circumventing almost all of the detection capabilities available. While details are still emerging in this particular breach, this would appear to have the makings of a nation-state actor,” Curry said.

“They almost never engage in smash-and-grab campaigns to steal money, social security numbers or credit card numbers. Their motives are likely to target certain individuals to know who they are talking to, where they are traveling and when,” he added.