What Is It?
Recently disclosed by security researchers at AdaptiveMobile Security, Simjacker is a sophisticated attack which has the potential to ‘take over’ and retrieve data from a users mobile phone simply by sending an SMS to the handset – regardless of make or model. It is believed that this attack is actively being used by a private company on behalf of governments to target and track individuals. Though the name of that company has not been disclosed yet.
The attack works by sending a target an SMS message which uses specific instructions originally designed to configure the SIM or the phone itself. The instructions sent by the attackers however target the software inside the SIM card in a malicious way without the message even appearing in the SMS inbox – so the user doesn’t even know they have been targeted. Once received, the message is processed and silently provides information such as the IMEI number for the phone and its location. The ability of the SIM doesn’t stop there though, it’s possible that attackers could go further to initiate calls from phones, launch applications, play sounds or switch the handset off.
Whilst only recently discovered, researchers at AdaptiveMobile believe that this attack has been in use for around two years to track individuals without their consent by un-named governments around the world.
The nature of mobile phones means that this attack could be used against any device in any country, well over 1 billion SIM cards are in active use. Whilst mobile phone providers are working to block the messages from entering their networks, researchers have evidence to suggest that in some countries between 100 and 200 devices per day are being targeted with this attack.
