AdaptiveMobile Security Simjacker Technical Paper 01

9
Simjacker Technical Report
©2019 AdaptiveMobile Security
3.2
Structure of atypical Simjacker Message
At a logical high level, atypical Simjacker message observed in the wild has the following structure.
Figure 3: Simjacker Attack Message Structure
The following is the explanation of the commands. Note, inmost of the below there are many variations of the attack observed, these are covered in more detail in Section 5.
3.2.1
Simjacker S@T/STK Command Order
We use for shorthand ST for commands that are defined in [3] , and STK for command that are defined in [10]. If other commands use different specifications they are indicated. Both the ST and STK commands are defined as TL[A]V variables.
1.
S@T Push Create Dynamic Deck Create Card
A sequence of Push, Create Dynamic Deck and Create Card commands are run. In the attacker’s case they normally set a bit that indicates that the Deck shall not be cached by the ST browser. This is done to ensure there isn’t any trace of the message preserved on the SIM. In addition, the attackers often use a ResetVar Attribute value in the Card declaration to ensure that the Variables are reset, after the commands finish see Section 3.2.2
2.
S@T Create INIT Variable
The first INIT Variable contains a fully formed SMS-SUBMIT Message Header which was received in the Simjacker message. Its main interest to us is that it contains a TP-DA. This is the Destination address to which the subsequent Data Message should be sent to (i.e. the
Exfiltration Address. This information is stored in Variable 1.

10
Simjacker Technical Report
©2019 AdaptiveMobile Security

Download 3.33 Mb.

Share with your friends: