WIBattack Campaign (2019)

Sophisticated attack campaign exploiting the Wireless Internet Browser application on SIM cards

High SeveritySIM Application2017-2019

Estimated Victims

100,000+

Duration

2+ Years

Affected Regions

3 Continents

Investigation Cost

$20M+

Overview

Attack Summary

The WIBattack campaign was a sophisticated surveillance operation discovered by AdaptiveMobile Security in October 2019, following their earlier SIMjacker research. This attack exploited the Wireless Internet Browser (WIB) application present on certain SIM cards to conduct unauthorized surveillance and data collection.

Similar to SIMjacker but targeting a different SIM application, WIBattack demonstrated that multiple SIM Toolkit applications could be vulnerable to exploitation through binary SMS messages. The campaign affected users across Europe, Asia, and Africa, with an estimated 100,000+ potential victims.

Background & Discovery

Discovery Process

Discovered by AdaptiveMobile Security as a follow-up to SIMjacker research. The team investigated whether other SIM applications could be exploited using similar techniques, leading to the discovery of WIBattack.

Context

Demonstrated that multiple SIM applications could be exploited for similar attacks, highlighting systemic security issues in SIM Toolkit application design and deployment.

Scope

Affected SIM cards with WIB application across multiple operators in Europe, Asia, and Africa. The attack had been active for approximately 2 years before discovery.

WIBattack demonstrated that the SIMjacker vulnerability was not an isolated incident but part of a broader pattern of SIM application security weaknesses that could be systematically exploited.

Technical Details

Attack Methodology

Target Application

Application ID: A0000000871004

Wireless Internet Browser (WIB) - A SIM Toolkit application designed for basic web browsing functionality on feature phones.

Attack Vector

•Binary SMS containing WIB-specific commands sent to target devices
•SMS-PP (Point-to-Point) messages with WIB command sequences
•Commands executed with SIM Toolkit application privileges
•Silent execution without user awareness or notification

Command Capabilities

Surveillance Functions

• Location information requests
• Device information gathering
• SMS manipulation and interception

Control Functions

• Call control functions
• Browser control and manipulation
• Response data exfiltration

Execution Flow

Target Identification

Attacker identifies target phone number (MSISDN)

Binary SMS Crafting

WIB-specific command sequence created and encoded

Message Delivery

SMS-PP message sent to target device via SMS-C

Silent Execution

WIB application processes command without user notification

Data Collection

Requested information gathered from device/network

Response Exfiltration

Data sent back to attacker-controlled number via SMS

Timeline

Attack Timeline

Key events in the WIBattack campaign

2017

Estimated Campaign Start

Initial WIB exploitation activities detected in retrospective analysis

2018-2019

Active Exploitation Period

Sustained targeting of specific regions and demographics across Europe, Asia, and Africa

October 2019

Public Disclosure

AdaptiveMobile Security publishes WIBattack research findings

November 2019

Industry Response

Mobile operators implement countermeasures and WIB-specific filtering rules

Impact Assessment

Financial Impact

Investigation Costs

$20M+ across operators

Remediation Expenses

Significant SIM replacement costs

Fraud Potential

Moderate direct financial fraud

Operational Impact

Surveillance Capability

Extensive unauthorized operations

Privacy Violations

Significant breaches for targets

Trust Impact

Further erosion of SIM security confidence

Technical Impact

Application Security

Multiple SIM app vulnerabilities

Detection Challenges

Difficulty preventing similar attacks

Security Gaps

Revealed testing inadequacies

Response Measures

Immediate Response

Implementation of WIB-specific SMS filtering rules
Enhanced monitoring for WIB-related binary SMS
Customer advisories and security updates

Medium-Term Response

Comprehensive audit of all SIM Toolkit applications
Enhanced OTA security controls for WIB applications
Development of application-specific security policies

Long-Term Response

Industry-wide review of SIM application security
Enhanced security requirements for SIM Toolkit applications
Improved vulnerability assessment processes

Lessons Learned

Key Lessons Learned

Multiple Application Vulnerabilities

Multiple SIM applications can be vulnerable to similar attack techniques, requiring comprehensive security testing of all SIM Toolkit applications.

Comprehensive Security Testing

Need for thorough security testing of all SIM applications, not just commonly used ones, to identify potential vulnerabilities.

Application-Specific Controls

Importance of implementing application-specific security controls and monitoring for each SIM Toolkit application.

Threat Intelligence Sharing

Value of threat intelligence sharing across the industry to identify and respond to similar attack patterns.

Proactive Vulnerability Assessment

Critical need for proactive vulnerability assessment rather than reactive responses to discovered attacks.

Preventive Measures

Recommendations to prevent similar attacks

Technical Controls

Disable unnecessary WIB applications on SIM cards
Implement application-specific OTA filtering
Enhanced binary SMS monitoring and analysis

Operational Measures

Regular security audits of all SIM Toolkit applications
Improved security testing methodologies for SIM applications
Industry-wide vulnerability disclosure and response processes

The WIBattack campaign reinforced the lessons from SIMjacker and highlighted the need for a comprehensive, industry-wide approach to SIM application security rather than addressing vulnerabilities on a case-by-case basis.

Related Resources