Telco Security

SIMjacker Campaign (2019)

Critical

Sophisticated surveillance campaign exploiting the S@T Browser application on SIM cards to track location, intercept communications, and perform unauthorized operations on mobile devices.

Discovered

Sept 2019

Duration

8 Years

2011-2019

Victims

1M+

Regions

Global

4 continents

Overview

Background

The SIMjacker campaign was discovered by AdaptiveMobile Security researchers in September 2019, revealing a sophisticated surveillance operation that had been active for at least 8 years. The attack exploited the S@T Browser application present on many SIM cards to track locations, intercept communications, and perform unauthorized operations.

The campaign targeted specific individuals and groups across Latin America, West Africa, the Middle East, and Asia Pacific, affecting over 1 million users. The attacks were particularly concerning because they operated completely silently, with victims having no indication their devices were compromised.

Key Characteristics

  • Binary SMS messages invisible to users
  • Executed with SIM Toolkit privileges
  • No user interaction required
  • Responses sent via SMS to attacker-controlled numbers

Technical Details

Attack Methodology

Attack Vector

The attack leveraged the S@T Browser (Wireless Internet Browser) application present on many SIM cards. Attackers sent specially crafted binary SMS messages (SMS-PP) containing S@T Browser commands that executed with SIM Toolkit privileges.

Command Types
  • • Location requests (cell tower information)
  • • Device information gathering (IMEI, OS version)
  • • SMS sending and interception
  • • Call initiation and control
  • • Browser launching for phishing

Stealth Mechanisms

Binary SMS messages not displayed to users
Silent execution without user awareness or consent
Response data sent via SMS to attacker-controlled numbers
No traces left on device or in standard logs

Timeline

Attack Timeline
2011

Campaign Start

Estimated start of SIMjacker campaign with initial deployment of attack infrastructure

2015-2018

Peak Activity

Widespread targeting across multiple regions with sustained surveillance operations

September 2019

Public Disclosure

AdaptiveMobile Security publishes research findings revealing the campaign

October 2019

Industry Response

Mobile operators begin implementing countermeasures and SMS filtering

Impact Assessment

Impact Assessment

Financial Impact

  • • Estimated $50M+ in investigation and remediation costs
  • • Unknown but potentially significant fraud losses
  • • Multiple ongoing regulatory investigations

Operational Impact

  • • Minimal direct service disruption
  • • Significant reputation damage for affected operators
  • • Reduced customer confidence in SIM security

Privacy Impact

  • • Location data exposed for over 1 million users
  • • Device information and communication metadata compromised
  • • Extensive unauthorized surveillance of high-profile targets
  • • Government officials, activists, and journalists targeted

Lessons Learned

Lessons Learned
  • Legacy applications on SIM cards can pose significant security risks even years after deployment
  • Binary SMS attacks can operate undetected for extended periods without proper monitoring
  • Comprehensive SIM application security testing is essential before deployment
  • Network-level SMS filtering and monitoring are critical defense mechanisms
  • Industry-wide vulnerability sharing and coordination are necessary for effective response
Preventive Measures
  • Disable unnecessary SIM Toolkit applications, especially legacy browsers
  • Implement robust OTA command authentication and authorization
  • Deploy network-level binary SMS filtering with pattern detection
  • Conduct regular security audits of all SIM card applications
  • Implement enhanced monitoring for suspicious SMS patterns and volumes
Related Resources
→ SIM Attack Vectors→ All Case Studies→ SIM Security Checklist