SimJacker Meaning- A Brand New Mobile and Sim Threat

In this article, you will find everything you need to know about the latest and brand new mobile (sim) threat – SIMJACKER



brand new mobile threat by Blarrow


Simjacker is a malicious vulnerability that is associated with SMS sent on SIM cards. An SMS based hacking procedure that is actively exploited by a spyware vendor to track individual phone users. Simjacker has victimized mobile phones from the past two years by a highly sophisticated threat actor in multiple countries, primarily for the purpose of surveillance.

In this case with most attacks, users are unaware of the attack while it’s in effect and being retrieved. Simjacker being a brand new mobile threat, an attacker using a smartphone, a GSM modem, or any A2P (Application-to-Purpose) service to send an SMS message to a victim’s phone number. SMS messages contain hidden SIM Toolkit (STK) instructions that support a device’s S@T Browser, an application that resides on the SIM card, rather than the phone.

Beware! Your Mobile Phone can Spy on You. 

How does Simjacker Work?

The S@T Browser and STK instructions are an old technology supported on some mobile networks and their SIM cards (to know more about S@T Browser and STK instructions, you can visit here.). The technology can be used to trigger actions on a device, like launching browsers, playing sounds, or showing popups. In earlier times of mobile networks, operators used the same protocols to send promotional offers to provide billing information. To make matters worse, the Simjacker attack is completely silent, victims don’t see any SMS messages inside their inboxes or outboxes. The threat actors continuously bombard victims with SMS messages and keep track of their locations as they move through the day, week, or month.

The exploit has been used to spy on individuals on a daily basis, a sophisticated attack ever seen over core mobile networks. The attack begins with an SMS (the Simjacker Attack Message) sent to a targeted brand new mobile handset. The message is sent from another handset, a GSM Modem or an SMS sending account to an A2P account, containing a series of SIM Toolkit (STK) instructions. The Simjacker message is specifically crafted to be passed on to the UICC/eUICC (SIM Card) within the device.

For the instructions to work, the attack exploits the presence of a particular piece of software known as S@T Browser which is on the UICC. The browser was designed to allow mobile carriers basic functions like subscription data or over-the-air updates, to the customers. Other S@T Browser supported commands include the ability to make calls, power off SIM cards, enable services such as getting account balance through SIM card But the hackers have exploited that intent, abusing the protocol to send an SMS to a phone and instructing the device to carry out vulnerable commands.

Once the Attack Message is received by the UICC it uses the S@T Browser library as an execution environment where it triggers logic on the new mobile handset. The Simjacker code then requests location on the UICC with specific device information (IMEI number) to send the collected information to a recipient number via another SMS by triggering logic on the handset. This process of fetching the location and IMEI information is used for exfiltration to a remote phone controlled by the attacker.

During the attack, the user is unaware of the Simjacker’s Attack message and the information is being retrieved that is sent outwards in the Data Message SMS. As there is no indication of SMS in the inbox or the outbox of the device the victim using. Devices from every manufacturer are being successfully targeted to retrieve location: Apple, ZTE, Motorola, Samsung, Google, Huawei, and even IoT devices with SIM cards. The only good thing about the attack is that they don’t rely on regular SMS messages, but on more complex binary code, delivered as an SMS. The network operators configure their equipment to block such data traversing networks to reach client devices.

3-easy step Simjacker Attack:

  1. The hacker convinces a phone company to switch user’s phone number to a SIM the hacker controls.
  2. The hacker pokes around through the victim’s digital life, various accounts, to business records.
  3. The hacker then extorts the victims

brand new mobile threat- Simjacker

The Impact of Simjacker

We live in an innovative world and there are technologies available for both sides of the law when it comes to exploiting user’s personal data. All brand new mobile with others is open to attack as the vulnerability is linked to a technology embedded on SIM cards. The Simjacker attack seems to have affected over 1 billion mobile phone users globally, majorly impacting countries like West Africa, Europe, Middle East with any other region of the world where the SIM card technology is in use. The attacks seem to work independently of the handset types, as the exploit is dependent on the software on the SIM card and not the device.

Simjacker attack can be termed as the first real-life case of malware malfunction that’s sent within an SMS since most of the other malware are sent via SMS links to malware and not the malware itself. In a day, roughly 100-150 specific individual phone numbers are being targeted per day via Simjacker attacks. A few phone numbers, presumably high-value, were attempted to be tracked several hundred times over a 7-day period, having smaller volumes. A similar pattern can be seen looking at per-day activity, many targeted for several days, weeks and even months, while others for a one-time attack. These patterns and the number of tracking indicates that it’s not mass surveillance but designed to track numbers of individuals for a variety of purposes.

In some ways, this is a math problem. The major consumer carrier likely gets thousands of SIM forwarding request per day, and only a dozen of SIM porting attacks. By employing clever social engineering techniques – a hacker can make thousands, maybe millions, of dollars in one day.


Watch your Step, User Precautions

To deal with this vulnerability, we and the mobile operators need to alter our mindset when it comes to the security of user data. Some of the basic and necessary steps are listed below:

  1. Demand additional security from your service provider.
  2. Limit your downside exposure: Disable – Phone-based account recovery from your cloud account. (2FA– requires 2 factors, usually entering an email plus a code texted to your phone to log in, and Account recovery is how your logic credentials are rest if you forget your login info)
  3. After an attack, exercise damage control.
  4. Contact the Service provider for further action.
  5. Make sure you don’t repeat passwords.

What next?

As a demanding society, the use of our phone numbers has evolved over time from being just used to make phone calls, to many many other uses – personal, social and financial. The vulnerability at the Simjacker attack should have been easily prevented if mobile operators would have shown some restraint into what code they put on their SIM cards.

The mobile operators will also need to constantly investigate suspicious and malicious activity to discover hidden attacks. Operators will also need to increase their own abilities and investment in detecting and blocking these attacks as the attackers have expanded their abilities beyond exploiting unsecured networks. This also means that relying on existing recommendations will not be sufficient to protect themselves, as attackers like these are always going to evolve and evade.

This was all about Simjacker that one needs to know. You should exercise the precautions(mentioned above) before the malicious and wild attack is already made.

Simjacker meaning- a brand new mobile threat by Blarrow

In the contemporary world, it is a sad fact that only sim is not exposed to threats. With the advent of technology and paperless technology, each and every step we take on our computers, laptops, and mobile phones is monitored and can be jacked. Online payments are preferred by everyone in today’s world. This brings me to another major malicious threat – MAGECART. This attack can jack the credit card information of the people when they enter it in the checkout page of another websites. SCARY! Isn’t it? But, don’t be. Blarrow to the rescue, always. To know more, visit




- Advertisement -

An Architect by profession & practice, Pranita is a keen observer and specialises in content, visualisation, and presentation. Cyber attacks & Architecture Technology in the far more technologically-advanced world made her realise that there is a lack of necessary awareness among people. Hence, keeping you all updated and protected by all means with subjects from Architecture Technology to Security Awareness.Currently working as a Head of Content, content writer & creator at BLARROW.TECH

- Advertisement -

Latest articles

Related articles