Cybersecurity researchers revealed the existence of a new and previously undisclosed vulnerability in SIM cards that for at least the last two years is being abused in real attacks to track and monitor individuals.

Dubbed "SimJacker," the attack works by sending an SMS with a specific type of spyware-like code to a mobile phone, which then instructs the SIM Card (UICC) within the phone to ‘take over’ the mobile device to retrieve and perform sensitive commands, according to AdaptiveMobile Security report.

The vulnerability affects a particular piece of software, called the S@T Browser (a dynamic SIM toolkit), embedded on most SIM cards that, despite not being updated since 2009, is widely being used by mobile operators in at least 30 countries and can be exploited regardless of which handsets victims are using.

"We have observed devices from nearly every manufacturer being successfully targeted to retrieve location: Apple, ZTE, Motorola, Samsung, Google, Huawei, and even IoT devices with SIM cards," the researchers said.

The attack begins with an attacker sending an SMS (AdaptiveMobile Security uses the term Simjacker ‘Attack Message’) using a smartphone, a GSM Modem or a SMS sending account connected to an A2P account that contains a series of hidden SIM Toolkit (STK) instructions that are supported by a device's S@T Browser. Both STK instructions and S@T Browser software can be used to trigger actions on a device, such as launching browsers, playing sounds, sending short massages and so on.

“Once the Simjacker Attack Message is received by the UICC, it uses the S@T Browser library as an execution environment on the UICC, where it can trigger logic on the handset,” AdaptiveMobile team explained.

The SimJacker code running on the UICC requests location and specific device information (the IMEI) from the handset and then sends retrieved information to a remote phone controlled by the attacker via another SMS message. The most interesting part is that the user is completely unaware about "SimJacker" attack is happening, as there is no indication of the “Data Message SMS” in any SMS inbox or outbox.

The researchers said that they have seen “phone numbers from several countries being targeted by these attacks” and believe that “individuals in other countries have also been targeted via Simjacker attacks.” While the experts didn’t name the threat actor behind these attacks, they said that they are “quite confident that this exploit has been developed by a specific private company that works with governments to monitor individuals”.

Researchers have responsibly disclosed details of the SimJacker vulnerability to the GSM Association, the trade body representing the mobile operator community, as well as the SIM alliance that represents the main SIM Card/UICC manufacturers.

SIM alliance has acknowledged the issue and provided new security recommendations for the S@T Browser technology.

"The Simjacker exploit represent a huge, nearly Stuxnet-like, leap in complexity from previous SMS or SS7/Diameter attacks, and show us that the range and possibility of attacks on core networks are more complex than we could have imagined in the past," the researchers warned.