Adaptive Mobile which is the cyber-security company that found the Simjacker attack published a list of countries where local mobile operators ship SIM cards that are vulnerable to Simjacker.
There are a total of 29 countries across five continents, even though Adaptive Mobile did not mention which telco providers are vulnerable in each:
Central America: Mexcio, Guatemala, Belize, Dominican Republic, El Salvador, Honduras, Panama, Nicaragua and Costa Rica
South America: Brazil, Peru, Colombia, Ecuador, Chile, Argentina, Uruguay and Paraguay
Africa: Ivory Coast, Ghana, Benin, Nigeria and Cameroon
Europe: Italy, Bulgaria and Cyprus
Asia: Saudi Arabia, Iraq, Lebanon and Palestine
The Simjacker attack which was publicly disclosed in mid-September exploits SIM cards that has Java applet named the [email protected] Browser pre-installed in it.
If the mobile operator did not configure the “security level” of an [email protected] Browser app installed on its SIM cards, it is possible for anyone to send a specially formatted binary SMS (called an OTA SMS) to a user’s phone number and run malicious commands without the knowledge of the user. It includes commands like tracking the device’s location, sending SMS messages, opening a browser etc.
Adaptive Mobile stated in September that rthe attack had been used in the real world but delayed to provide any additional details until this month, when its security researchers where supposed to present the results of the Simjacker investigation at the Virus Bulletin 2019 security conference.
After the security conference, the company provided more details about the Simjacker attacks which they have observed in the wild. Together with listing the countries where mobile operators have misconfigured SIM cards, Adaptive Mobile also revealed the countries where it detected attacks. The countries include Mexico, Colombia, and Peru. The attack had however been only used to track users’ locations, and nothing else.
The company also found evidence that Simjacker was developed by a company that sells surveillance software to governments across the world.
According to a blog post published by Adaptive Mobile, they haven’t named the company responsible as they would require some additional proof which would also reveal specific methods and information that would impact their ability to protect subscribers.
The company assured that the ‘average’ person is not likely to be targeted, as the main targets are probably those that are of interest to nation-state customers.
SRLabs updated its SIMTester app last month to support Simjacker scans. The app lets the users to know if they have the [email protected] Browser app installed on their SIM card, and if the app has been misconfigured and left vulnerable to Simjacker attacks.
Besides, Adaptive Mobile also looked into WIBattack, a Simjacker-like attack that works in the similar way, but targets the WIB app installed on SIM cards, instead of [email protected] Browser.
Adaptive Mobile stated that the number of countries and mobile operators vulnerable to WIBattack is very less as compared to the ones vulnerable to Simjacker.