Security research by AdaptiveMobile Security has discovered a new vulnerability, nicknamed Simjacker which has been used by an unnamed surveillance company to watch on people’s phones.
The technique used in this surveillance is simple: The hacker sends SMS messages containing instructions for an old [email protected] Browser app supported on some carriers’ SIM cards. Where [email protected] was originally intended to launch browsers, play sounds or otherwise trigger common actions on phones, Simjacker uses it to obtain location info and IMEI numbers that are later sent to an “accomplice device” (again using SMS) that records the data.
The attack happens silently and the user will have no idea that an SMS has been triggered by its device and the attackers are able to collect data from your device any time they want and never get any hint of the attack left behind.
The attack is device-agnostic and has been performed on iPhones, some Android devices, and some SIM-equipped Internet of Things devices.
The attack is not just theoretical research the company has found that the attack has been used in more than 30 countries around the world (mainly in the Middle East, North Africa, Asia, and eastern Europe) for at least two years.
It was also reported that the attack was initiated for a large number of devices but the attack remained active to a few numbers of people — 250 to be the most noticeable target. AdaptiveMobile has also said that this attack was not a mass surveillance campaign and it also has not revealed what was the purpose of this campaign.
The company has said that the networks should be prepared to stop these attacks since the SMS sent by the attackers are codes not everyday text so these messages can be identified with ease and will be blocked.