Meet ‘Simjacker,’ a nasty mobile vulnerability researchers say puts 1 billion phones at risk

A unnamed spyware vendor is using malicious SMS messages to infiltrate victims' phones, according to AdaptiveMobile Security.

A vulnerability in smartphone technology has made it possible for outsiders to conduct targeted surveillance against victims for the past two years, according to new security findings.

Researchers from AdaptiveMobile Security said Thursday they found an SMS-based hacking technique that actively is being exploited by a spyware vendor to track individual phone users. The company did not disclose who is behind the surveillance or the identities of the victims.

Researchers warned that the attack, dubbed “Simjacker,” has ramifications for more than 1 billion mobile phones worldwide. By relying on malicious text messages, hackers infect target phones to retrieve location information and other data. The attack leverages SIM cards, a circuit that stores customers’ international mobile subscriber information in a way that isn’t restricted to a single phone platform.

“This is potentially the most sophisticated attack ever seen over core mobile networks,” Cathal Mc Daid, AdaptiveMobile Security’s chief technology officer, said in a statement. “It’s a major wake-up call that shows hostile actors are investing heavily in increasingly complex and creative ways to undermine network security. This compromises the security and trust of customers, mobile operators and impacts the national security of entire countries.”


The SimJacker vulnerability exists in the S@T Browser, a kind of software that’s embedded in most SIM cards produced by phone companies in 30 nations. It was designed to allow mobile carriers beam basic functions, like the subscription data or over-the-air updates, to customers. But the hackers in this case have exploited that intent, abusing the protocol to send an SMS to a phone and instructing the device to carry out malicious commands.

“Now that this vulnerability has been revealed, we fully expect [that] exploit authors and other malicious actors will try to evolve these attacks into other areas,” Mc Daid said in the statement.

Latest Podcasts