Further, they have detected the use of what has been dubbed Simjacker going back at least two years.
According to Adaptive Mobile, "The main Simjacker attack involves a SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM Card within the phone to 'take over' the mobile phone to retrieve and perform sensitive commands.
"The attacks exploit the ability to send SIM Toolkit Messages and the presence of the S@T Browser on the SIM card of vulnerable subscribers. (The S@T Browser is normally used for browsing through the SIM card.)
Adaptive Mobile asserts that over 1 billion devices are vulnerable to this attack - any device SIM that makes use of the S@T Browser.
Writing in support of the company's announcement, chief technology officer Cathal McDaid said:
"By using these commands in our own tests, we were able to make targeted handsets open up web browsers, ring other phones, send text messages and so on. These attacks could be used to fulfil such purposes as:
- "Misinformation (e.g. by sending SMS/MMS messages with attacker controlled content)
- "Fraud (e.g. by dialling premium rate numbers),
- "Espionage (as well as the location retrieving attack an attacked device it could function as a listening device, by ringing a number),
- "Malware spreading (by forcing a browser to open a web page with malware located on it)
- "Denial of service (e.g by disabling the SIM card)
- "Information retrieval (retrieve other information like language, radio type, battery level etc.)
"It even may be possible to go even further — depending on handset type — which we will discuss in our VB2019 presentation. Worryingly, we are not the only people to think of these additional attacks, over the last few weeks and months we have observed the attackers themselves experiment with these different capabilities.
"Finally, another benefit of Simjacker from the attacker's perspective is that many of its attacks seems to work independent of handset types, as the vulnerability is dependent on the software on the UICC and not the device. We have observed devices from nearly every manufacturer being successfully targeted to retrieve location: Apple, ZTE, Motorola, Samsung, Google, Huawei, and even IoT devices with SIM cards.
"One important note is that for some specific attacks handset types do matter. Some, such as setting up a call, require user interaction to confirm, but this is not guaranteed and older phones or devices with no keypad or screens (such as IoT device) may not even ask for this."
Without naming the organisation, it is clear from the reporting that AdaptiveMobile knows exactly who has created and is exploiting this vulnerability, as they state, "We are quite confident that this exploit has been developed by a specific private company that works with governments to monitor individuals."
As stated earlier, the user cannot block these messages – it can only be done in the core of the telco network by blocking S@T messages that originate outside of the network.
AdaptiveMobile has reported the issue to the GSM Association, which has disseminated the information to its member organisations.
AdaptiveMobile will present a detailed analysis of this problem at the upcoming Virus Bulletin Conference in London on 3 October.