The new attack is called WIBattack and it is very much like attack Simjacker, revealed earlier this month.
The two attacks work the same way. The difference is that they aim differently applications running on SIM cards.
Simjacker executes commands that target it S @ T Browser application. WIBattack sends commands to Wireless Internet Browser (WIB) app.
These are two Java applets, called Companies mobile phones install on SIM cards. Applications are designed to remotely manage client devices.
Attackers can send a specially configured SMS (OTA SMS), which executes STK (SIM Toolkit) instructions to SIM cards.
The commands supported in the WIB app are similar to those of S @ T Browser. These are:
- Obtain location data
- Send SMS
- Send USSD requests
- Send SS requests
- Audio playback
- Display text on the device
- Launch an internet browser with a specific URL
Hackers carry out this attack to watch them users- steps. The attackers can locate the victim's location, make phone calls or listen to conversations.
Both WIBattack and Simjacker discovered 2015, but the researchers had not revealed their findings publicly.
According to their calculations, there are millions phones with SIM cards that have the WIB app.
SIMTester is a desktop application that helps users to check their SIM cards for errors security. SnoopSnitch is one Android application, which also detects vulnerabilities in SIM cards and operating system errors.
The researchers used the two applications to investigate the effect of Simjacker and WIBattack.
They examined 800 SIM cards. The results showed that most mobile phones no longer have S @ T and WIB applets.
The results were as follows:
- 9,4% of the tested SIMs had the S @ T applet installed
- 5,6% of SIMs are vulnerable to Simjacker because SIMs are not protected
- 10,7% of SIMs have the WIB applet installed
- 3,5% of SIMs are vulnerable to WIBattack attack
- Overall, 9,1% of tested cards were vulnerable to attacks against S @ T or WIB applet
Also, of the 500.000 SnoopSnitch users tested, few reported receiving OTA SMS messages, which are necessary to carry out the attacks.
Most of the messages targeted users in Latin and South America.
These results show that most users nowadays are not on risk. Only a handful of mobile providers worldwide sell SIM cards with both applications.
Users who want to check if their cards are running S @ T or WIB apps can use the SIMTest app.
However, even if there are two applications on the SIM card, this does not mean that the device is vulnerable. To attack, attackers must send OTA SMS messages to both applications. This can be blocked by mobile carriers, by activating security features in both SIM card applications.
"In the mobile field, Simjacker and WIBattack attacks seem less attractive to criminals than SS7 or social engineering attacks," said Karsten Nohl, SRLabs security researcher.