According to AdaptiveMobile Security, a vulnerability called Simjacker was found in SIM cards that is being used to track users, intercept calls among other nefarious activities. The researchers at the firm put the estimate at more than a billion smartphones that could under attack.
"This vulnerability is currently being actively exploited by a specific private company that works with governments to monitor individuals. Simjacker and its associated exploits is a huge jump in complexity and sophistication compared to attacks previously seen over mobile core networks. The main Simjacker attack involves an SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM card within the phone to 'take over' the mobile phone to retrieve and perform sensitive commands," the researchers noted.
The nature of the attack at its massive scale is worrisome. The researchers did not pinpoint which companies or governments are behind the construction of Simjacker, but said that they could be "a large professional surveillance company, with very sophisticated abilities in both signalling and handset." What's disturbing is the fact that the vulnerability has been exploited for the last two years.
The blog post, detailing the properties of Simjacker, said that the hackers are using technology within a SIM card called S@T Browser (short for SIMalliance Toolbox Browser). This technology generally is used for browsing the internet using the SIM card, which is turned into a lethal weapon. Hackers can perform actions such as open a browser and redirect to malicious sites to install malware on the phone, place calls and play ring tones.
"Simjacker has been further exploited to perform many other types of attacks against individuals and mobile operators such as fraud, scam calls, information leakage, denial of service and espionage," the researchers added.
The researchers noted that the firm has decided to keep more details about the attack under wraps for now. But it will give more details at the upcoming Virus Bulletin Conference in London on October 3. Stay tuned for updates.