Adaptive Mobile -- the cyber-security company that discovered the Simjacker attack[1] -- published today a list of countries where local mobile operators ship SIM cards vulnerable to Simjacker.
The list includes 29 countries across five continents, albeit Adaptive Mobile did not list which telco providers are vulnerable in each:
Central America:
Mexcio
Guatemala
Belize
Dominican Republic
El Salvador
Honduras
Panama
Nicaragua
Costa Rica
South America:
Brazil
Peru
Colombia
Ecuador
Chile
Argentina
Uruguay
Paraguay
Africa:
Ivory Coast
Ghana
Benin
Nigeria
Cameroon
Europe:
Italy
Bulgaria
Cyprus
Asia:
Saudi Arabia
Iraq
Lebanon
Palestine
What is Simjacker
The Simjacker attack[2] was publicly disclosed in mid-September. The attack exploits SIM cards that come with a pre-installed Java applet named the S@T Browser.
If the mobile operator forgot to configure the "security level" of an S@T Browser app installed on its SIM cards, anyone could send a specially formatted binary SMS (called an OTA SMS) to a user's phone number and run malicious commands without the user's knowledge -- such as tracking the device's location, sending SMS messages, opening a browser, and more.
In September, Adaptive Mobile said the attack had been used in the real world but deferred offering additional details until this month, when its security researchers where scheduled to present the results of the Simjacker investigation at the Virus Bulletin 2019 security conference.
Simjacker attacks spotted in Mexico, Colombia, and Peru.
Now that the security conference has come and gone, the company kept its promise and provided more details about the Simjacker attacks it observed in the wild.
But besides listing all the countries where mobile operators have misconfigured SIM cards and have left the S@T Browser app open to attacks, Adaptive Mobile also revealed the countries where it detected attacks.
These are