• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Severe Hikvision HikCentral product flaws: What You Need to Know

 | 

U.S. CISA adds TP-Link Archer C7(EU) and TL-WR841N flaws to its Known Exploited Vulnerabilities catalog

 | 

Google addressed two Android flaws actively exploited in targeted attacks

 | 

U.S. CISA adds WhatsApp, and TP-link flaws to its Known Exploited Vulnerabilities catalog

 | 

Android droppers evolved into versatile tools to spread malware

 | 

Jaguar Land Rover shuts down systems after cyberattack, no evidence of customer data theft

 | 

Cloudflare blocked a record 11.5 Tbps DDoS attack

 | 

Palo Alto Networks disclosed a data breach linked to Salesloft Drift incident

 | 

Von der Leyen’s plane hit by suspected Russian GPS Jamming in Bulgaria, landed Safely

 | 

Supply-chain attack hits Zscaler via Salesloft Drift, leaking customer info

 | 

Crooks exploit Meta malvertising to target Android users with Brokewell

 | 

North Korea’s APT37 deploys RokRAT in new phishing campaign against academics

 | 

Fraudster stole over $1.5 million from city of Baltimore

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 60

 | 

Security Affairs newsletter Round 539 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Amazon blocks APT29 campaign targeting Microsoft device code authentication

 | 

Lab Dookhtegan hacking group disrupts communications on dozens of Iranian ships

 | 

New zero-click exploit allegedly used to hack WhatsApp users

 | 

US and Dutch Police dismantle VerifTools fake ID marketplace

 | 

Experts warn of actively exploited FreePBX zero-day

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Mobile
  • SIM cards used in 29 countries are vulnerable to Simjacker attack

SIM cards used in 29 countries are vulnerable to Simjacker attack

Pierluigi Paganini October 12, 2019

Security researchers at Adaptive Mobile who discovered the SimJacker issue have published the list of countries where mobile operators use flawed SIM cards.

Exactly one month ago, researchers at AdaptiveMobile Security disclosed a critical vulnerability in SIM cards dubbed SimJacker that could be exploited by remote attackers to compromise targeted mobile phones and spy on victims just by sending an SMS.

The SimJacker vulnerability resides in the S@T (SIMalliance Toolbox) Browser dynamic SIM toolkit that is embedded in most SIM cards used by mobile operators in many countries. The experts discovered that that the exploitation of the vulnerability is independent of the model of phone used by the victim.

Now Adaptive Mobile published the list of countries where local mobile operators are using SIM cards affected by the Simjacker flaw, anyway the company did not name the impacted mobile phone carriers.

“This varies by country and region. From our analysis we could identify 61 Mobile Operators (excluding MVNOs) in the 29 countries that use this technology.” reads the report. “Based on public reported information the cumulative subscriber numbers of these S@T Browser-using Operators comes to ~861 million mobile connections (SIM cards).” “Not all SIM cards in the operator may use this technology. In discussions with a few operators in the LATAM region we were informed that the majority of SIM Cards (>90%) in their network had it.”

Below the full list of countries published by the experts:

Central America:
Mexcio
Guatemala
Belize
Dominican Republic
El Salvador
Honduras
Panama
Nicaragua
Costa Rica

South America:
Brazil
Peru
Colombia
Ecuador
Chile
Argentina
Uruguay
Paraguay

Africa:
Ivory Coast
Ghana
Benin
Nigeria
Cameroon

Europe:
Italy
Bulgaria
Cyprus

Asia:
Saudi Arabia
Iraq
Lebanon
Palestine

The S@T Browser application is installed on multiple SIM cards, including eSIM, as part of SIM Tool Kit (STK), it enables the SIM card to initiate actions which can be used for various value-added services.

Since S@T Browser implements a series of STK instructions (i.e. send, call, launch browser, provide local data, run command, and send data) that can be executed by sending an SMS to the phone.

The Simjacker attack involves an SMS containing commands that instruct the SIM Card in the phone to ‘take over’ the phone.

The attacker could exploit the flaw to

  • Retrieve targeted device’ location and IMEI information,
  • Spread mis-information by sending fake messages on behalf of victims,
  • Perform premium-rate scams by dialing premium-rate numbers,
  • Spy on victims’ surroundings by instructing the device to call the attacker’s phone number,
  • Spread malware by forcing victim’s phone browser to open a malicious web page,
  • Perform denial of service attacks by disabling the SIM card, and
  • Retrieve other information like language, radio type, battery level, etc.

On October 3rd, the experts presented their research at VB2019 conference in London and they published a technical paper on the attack. The paper shows how the flaw is being exploited by threat actors and privides technical details on technologies used in the attacks.  report.

The experts explained that the attack is transparent to the users, the targets are not able to notice any anomaly.

Adaptive Mobile revealed that a private surveillance firm was aware of the zero-day flaw since at least two years and is actively exploiting the SimJacker vulnerability to spy on mobile users in several countries.

“Within the report we outline why we think it is a surveillance company that developed this exploit.” read a FAQs page published by the experts. “However, we have not named the specific company that we believe is responsible, as to do so, we would need to release some additional proof. That proof would also reveal specific methods and information that would impact our ability to protect subscribers.”

Experts also added that the vulnerability has been likely exploited by nation-state actors for targeted attacks on persons of interests.

After the flaw was publicly disclosed, the researchers at SRLabs developed an Android app, named SnoopSnitch, that can detect Simjacker-like attacks. The SnoopSnitch app only runs on rooted Android mobile phones with a Qualcomm chipset. SRLabs researchers also updated their SIMTester app to include Simjacker.

Experts at Adaptive Mobile also analyzed the impact of the recently disclosed WIBattack and explained that it impacts a smaller number of users compared with SimJacker. Experts estimated that only 8 operators in 7 countries are using SIM cards vulnerable to the attack.

“WIB is a propriety SIM card technology like S@T which reports show could also be exploited via ‘Simjacker-like’ attacks. However, it’s important to state that we haven’t seen any attacks involving WIB.” concludes the report. “The WIB technology itself seems less prevalent that the S@T Browser (see diagram below and section 7 of the report), and available publicly information doesn’t indicate that WIB has the same apparent oversight in recommended security level.”

The following graph shows the number of Vulnerable Countries & Operators for S@T Browser and WIB.

“This has important implications for all Mobile Operators if they wish to deal with attacks from threat actors like this in the future.” concludes the report.”It means that previous ways of relying on recommendations, with no operational investigation or research won’t be enough to protect the mobile network and its subscribers, and what’s worse, will give a false sense of security.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – SimJacker, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Hacking Pierluigi Paganini Security Affairs Security News simjacker

you might also like

Pierluigi Paganini September 04, 2025
Severe Hikvision HikCentral product flaws: What You Need to Know
Read more
Pierluigi Paganini September 04, 2025
U.S. CISA adds TP-Link Archer C7(EU) and TL-WR841N flaws to its Known Exploited Vulnerabilities catalog
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Severe Hikvision HikCentral product flaws: What You Need to Know

    Hacking / September 04, 2025

    U.S. CISA adds TP-Link Archer C7(EU) and TL-WR841N flaws to its Known Exploited Vulnerabilities catalog

    Hacking / September 04, 2025

    Crooks turn HexStrike AI into a weapon for fresh vulnerabilities

    Cyber Crime / September 03, 2025

    Google addressed two Android flaws actively exploited in targeted attacks

    Security / September 03, 2025

    U.S. CISA adds WhatsApp, and TP-link flaws to its Known Exploited Vulnerabilities catalog

    Hacking / September 03, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT