More than one billion mobile users are at risk from a SIM card flaw being currently exploited by threat actors, researchers warn.

A vulnerability discovered in mobile SIM cards is being actively exploited to track phone owners’ locations, intercept calls and more – all merely by sending an SMS message to victims, researchers say.

Researchers on Thursday disclosed what they said is a widespread, ongoing exploit of a SIM card-based vulnerability, dubbed “SimJacker.” The glitch has been exploited for the past two years by “a specific private company that works with governments to monitor individuals,” and impacts several mobile operators – with the potential to impact over a billion mobile phone users globally, according to by researchers with AdaptiveMobile Security.

“Simjacker has been further exploited to perform many other types of attacks against individuals and mobile operators such as fraud, scam calls, information leakage, denial of service and espionage,” said researchers with AdaptiveMobile Security in a post breaking down the attack, released Thursday.

They said they “observed the hackers vary their attacks, testing many of these further exploits. In theory, all makes and models of mobile phone are open to attack as the vulnerability is linked to a technology embedded on SIM cards.”

The attack stems from a technology in SIM cards called S@T Browser (short for SIMalliance Toolbox Browser). This technology, which is typically used for browsing through the SIM card, can be used for an array of functions such as opening browsers on the phone as well as other functions like setting up calls, playing ring tones and more.

From a high level, threat actors can send messages to victims that use the S@T Browser functionality in order to trigger proactive commands that are sent to the handset. The issue is impacted SIM cards that contain the S@T Browser technology do not check the origin of messages that use the S@T Browser, and also that SIMs allow data download via SMS, researchers said.

These messages contain a series of SIM Toolkit (STK) instructions and is specifically crafted to be passed on to the SIM Card within the device. Once the SMS is received by the SIM card, it uses the S@T Browser library as an execution environment, where it can trigger logic on the handset – mainly for requesting location and specific device information (IMEI).

The responses to these commands are sent back from the handset to the SIM card, where they are stored temporarily. Once the relevant information is retrieved from the handset, another proactive command is sent to the victim’s handset to send an SMS out with the information to the attacker’s handset.

“The location information of thousands of devices was obtained over time without the knowledge or consent of the targeted mobile phone users,” researchers said. “During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully exfiltrated. However the Simjacker attack can, and has been extended further to perform additional types of attacks.”

Once they have sent the message, attackers can lunahc an array of attacks utilizing the S@T Browser, including: location tracking, fraud, denial of service, malware spreading and call interception. Using the attack bad actors can also launch commands like playing a ring tone, sending short messages, setting up calls, and more.

Researchers said that they have seen many of these potential attacks being tested and used by the attacker group. While they did not name the group, they said: “We can say with a high degree of certainty, that the source is a large professional surveillance company, with very sophisticated abilities in both signaling and handsets.”

To mitigate against the attack, users can “investigate if you have SIM cards with S@T Browser technology deployed in your network and if so whether any S@T Browser-specific proprietary security mechanisms can be applied,” researchers said.

Other recommendations include:

Determine whether existing network equipment can be configured to filter binary SMS messages from unauthorised sources.

Consider if current firewalls are simply only GSMA document ‘compliant’. “These GSMA documents should really only be used as a starting point for more effective protection,” according to researchers.

Review the ongoing investigation and research you are doing on what is being encountered in your network.

Researchers said that they have submitted the details of the exploit to the GSMA in terms of vulnerability disclosure, and “will continue to research how the attacks function, look for other variants of the Simjacker exploits and use of the vulnerability.”

While researchers say that the S@T protocol is used by mobile operators in at least 30 countries whose population adds up to over a billion people, in an email to Threatpost, the GSMA that the “potential vulnerability” impacts a “small minority of SIM cards.”

“This research specifically considers SIM cards which make use of a technology not used by most mobile operators, and requires a user to be sent specially coded messages containing commands for the SIM card,” a GSMA spokesperson told Threatpost. “The potential vulnerability is understood to not be widespread and mitigations have been developed for affected mobile networks to implement.”

Moving forward, “the GSMA has worked with the researchers and the mobile industry to create guidance for its members about how to identify which SIMs are impacted and ways to block these malicious messages, and has been working with the impacted member operators to help implement these mitigations,” the GSMA spokesperson told Threatpost.

Further findings from the exploit will be presented at Virus Bulletin 2019 in October.

Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.