Yesterday, security researchers at AdaptiveMobile Security revealed the existence of a new exploit called "Simjacker", which allows remote monitoring from targeted phones (among other potential actions) using nothing more than A malicious SMS. They even claim that the exploit has been actively used over the past two years by "an extremely sophisticated threat actor in several countries". All that sounds as a big problem, and unfortunately for worried consumers, researchers leave a lot of unanswered questions.

The attack works by SMS, a malicious agent sending a message to a targeted phone number. This message contains a set of instructions designed to run on the environment built into some modern SIM cards. It actually contains a tiny "computer" that performs simple functions. If the SIM card is running a specific software package, it can ask your phone for certain data such as your IMEI or location, and even have your phone transmit this information via SMS to other people. The researchers believe that it could also be used for even more harmful purposes, such as installing malware, remote spying or fraud via premium rate calls. Although some of these potential actions require user interaction to succeed, the exploit provides the means to configure them.

AdaptiveMobile Security is convinced that the exploit was created by "a specific private company that works with governments to monitor people" and that the breakdown of monitored attacks shows targeted attacks whose priorities are changing, the result of 39, a clear and deliberate action.

Unfortunately for us, critical issues such as "who is touched?" and "which operators use compatible SIM / eSIM cards?" are intentionally unanswered. Researchers say that essential parts of the exploit are used by carriers in "at least 30 countries" covering more than one billion people, but we do not know which markets or carriers are actually included in this list – an exclusion that almost certainly aims to "bait" attention, because by this general formulation almost anybody could be affected. While this may pose a real and serious threat, security researchers are retaining vital information for a future conference, claiming that this advance publication aimed to assess the reaction of users of the exploit.

We contacted the four largest US carriers to find out if they could be affected, and until now, Sprint, AT & T and T-Mobile have told us that their customers would not be concerned.