Alarming Simjacker Exploit Infiltrates Smartphones Via SMS And Lojacks Your Location

by Brandon Hill — Thursday, September 12, 2019, 04:42 PM EDT

It seems as though we can't escape a single week without hearing about a new widespread security exploit that puts us all at risk. This week, the newly detailed attack taking center stage is called Simjacker, and it was revealed by the folks at AdaptiveMobile Security.

As its name implies, Simjacker works primarily by exploiting the SIM cards that all of our smartphone use. As the researchers explain it, this new exploit represents a "huge jump in complexity and sophistication" in comparison to other attack vectors that have propagated over mobile networks.

Although Simjacker is quite an intricately-executed exploit, we'll give you a brief overview of how it claims its victims. First of all, the perpetrator sends an SMS "attack message" to a victim which contains SIM Toolkit (STK) instructions. These instructions are specifically crafted to call on the S@T Browser embedded in every SIM card. From there the S@T Browser can execute code that will force the target smartphone to return information to the attacker.

This information from the target phone is then relayed back to the malicious party in the form of another SMS message. So what data is being relayed back to the perpetrator? According to AdaptiveMobile Security, both IMEI information and location details can be sent via SMS.

And here's where things get incredibly sneaky and downright frightening. "During the attack, the user is completely unaware that they received the SMS with the Simjacker Attack message, that information was retrieved, and that it was sent outwards in the Data Message SMS - there is no indication in any SMS inbox or outbox," writes AdaptiveMobile Security.

Interestingly, it is stated that the S@T Browser is incredibly outdated and not even as frequently used today as it once was before the prevalence of smartphones. In fact, the researchers point out that the underlying specifications for the software have not been updated in roughly a decade.

Besides obtaining IMEI and location information, this Simjacker attack could also be used to "silently" access the complete STK command set. With these tools at their disposal, attackers could implement DoS attacks, perform espionage campaigns, and even spread malware.

Given the extreme complexity and wide scope of Simjacker's impact, it is of the opinion of the researchers that it was commissioned by a government entity and developed by a private company for surveillance purposes.

"These patterns and the number of tracking indicates it is not a mass surveillance operation, but one designed to track a large number of individuals for a variety of purposes, with targets and priorities shifting over time," writes AdaptiveMobile Security.

And according to the researchers, Simjacker has been in the wild for over two years. As for what can be done to shutdown this attack vector, it's being recommended that carriers simply block suspicious messages that carrying S@T Browser commands.

Tags: smartphone, security, exploit, location, sim, simjacker

Brandon Hill

Brandon received his first PC, an IBM Aptiva 310, in 1994 and hasn’t looked back since. He cut his teeth on computer building/repair working at a mom and pop computer shop as a plucky teen in the mid 90s and went on to join AnandTech as the Senior News Editor in 1999. Brandon would later help to form DailyTech where he served as Editor-in-Chief from 2008 until 2014. Brandon is a tech geek at heart, and family members always know where to turn when they need free tech support. When he isn’t writing about the tech hardware or studying up on the latest in mobile gadgets, you’ll find him browsing forums that cater to his long-running passion: automobiles.

Opinions and content posted by HotHardware contributors are their own.

Which New GPU Is For You?

Stay updated with the latest news and updates. Subscribe to our newsletter!

Subscribe Now