In the second part of our investigation into the SIMURAI platform, we reveal how a SIM card can be used as a full-fledged Trojan that spies, attacks, and interacts with a smartphone without the user’s knowledge. Using Java Card applets, OTA downloads, interposers, and detailed analysis of SIM commands, the researchers show how a simple card can be turned into a conduit for surveillance and control. The article covers the attack architecture, the lifecycle of malicious applets, access mechanisms to Android and iOS, and protection against such threats. If you work in cybersecurity, research SIM attacks, or simply want to know how secure your SIM card is, this article will be both an exposé and a roadmap.
SIMURAI is not just a platform for studying SIM card vulnerabilities, it is a real laboratory in the researcher’s pocket. What previously required complex protocols, proprietary operator equipment, and deep infrastructure integration has now become accessible to almost every security professional. The main goal of SIMURAI is to allow researchers to create their own Java applets, load them onto real SIM cards, and test the capabilities of espionage, interception, manipulation, and phishing. All without losing control over the environment, in a secure environment, and with full flexibility.
The process of developing Java applets for SIMURAI begins with the creation of special .cap files — packaged programs on a Java Card that meet the requirements of SIM cards. By default, such applets can read data from the SIM file system, intercept STK events, process system commands, and even interact with the user through SIM pop-up menus. In the SIMURAI environment, this process is significantly simplified using its own toolchain, which allows you to create applets in just a few minutes.
The main components of the system look like this:
Java Card Builder module – applet creation, signing and packaging;
SIMURAI CLI – command line tool for loading applets and managing SIM;
SDK with examples – dozens of templates for different types of attacks: from IMSI-catching to phishing SIM Toolkit menus.
While previously loading applets onto a SIM required access to OTA servers or special software, SIMURAI offers a more versatile approach — an interposer. This is a simple adapter that is inserted between the SIM and the smartphone, intercepting traffic and allowing data to be written or retrieved from the card. Through it, you can not only load new applets, but also create a live testing environment — for example, emulate network behavior, trigger STK responses, or simulate base station requests.
A typical attack scenario in a SIMURAI environment includes:
Writing an applet that responds to a network signal or STK command;
Loading the applet via an interposer or OTA;
Triggering a behavior on the phone (e.g., popping up a menu or sending an SMS);
Logging all responses and events for analysis.
What is most interesting is that the system allows you to work with real SIM cards of any operator. Thanks to the support of dozens of models, including the latest nanoSIM, the researcher can test the same attack on different devices: from budget Android to the latest iPhone. This allows you to see how real users will react to phishing requests or unexpected menus, and which vectors can be used in a real environment.
Thus, SIMURAI is the first open framework that allows you to conduct full-fledged experiments with SIM cards without restrictions and risks. This is not just a tool, it is a new model of research in the field of mobile security, where the SIM card is no longer a “black box” but becomes a transparent object of analysis, experiments and training. And if in the first part we only touched on the potential of the SIM as a Trojan, now we see the full picture: how exactly to create, download and manage this Trojan – independently, accurately, in a controlled manner.
An interposer is an invisible but incredibly powerful link between your smartphone and your SIM card. It is physically inserted between the device and the card, intercepts all commands sent to the SIM, and allows you to not only read this data, but also modify it or send your own. In the hands of a researcher, it is an ideal tool for debugging Java applets, analyzing traffic, and even simulating malicious behavior. In the hands of an attacker, it is a bridge to full control over the user’s SIM card.
The essence of the interposer’s work is that it acts as a kind of “transparent proxy” between the mobile device and the SIM card. Every command sent by the phone (even at the base station level) passes through this adapter. SIMURAI allows you not only to intercept these commands, but also to change them on the fly or inject new ones — which opens up space for hundreds of attack scenarios and protection testing.
The real capabilities of interposer testing include:
Live loading of Java applets without access to operator OTA;
Logging of APDU commands (the protocol of exchange between SIM and phone);
Intercepting or modifying STK commands that the phone sends to the SIM card;
Emulating network conditions, such as sudden reboot or loss of coverage.
During the experiments, several adapter models were tested – from simple ones sold on AliExpress to specially designed boards with support for automatic logging and saving sessions. The best results were shown by adapters with USB output and support for SIMtrace – an open project for monitoring SIM card traffic. This allows you to see in real time how a Java applet downloaded via SIMURAI behaves in the system, reacts to commands, or tries to send something.
To understand how powerful this is, one example is enough: using an interposer, the researcher was able to create a scenario where the SIM card, after a normal phone startup, sent an SMS with the user’s IMSI code to a specified number. All this – without any permissions on the smartphone, without installing applications and even without visual confirmation. This is the power of the adapter.
List of real-world problems that interposer can solve:
Downloading test malicious applets without risk to the system;
Studying the behavior of the mobile OS when interacting with the SIM;
Analysis of SIM card responses to STK requests and phishing possibilities;
Testing different SIM card models and their resistance to tampering.
Thus, the inter-card adapter is not just a socket in the communication chain, but a full-fledged laboratory between the plastic and the system. With it, the researcher gets full access to low-level processes that were previously closed even to mobile operators. This is a weapon of future attacks and future protection. That is why SIMURAI emphasizes this technology as the basis for research and practical use of SIM security.
Theory is good, but the main question for every researcher: does the attack work on a real device? SIMURAI provides a full-fledged testing ground for testing Java applets and SIM attacks in real conditions, on real smartphones. To check how deep it is possible to penetrate the system through a SIM card, the researchers conducted tests on the four most popular categories of devices – Samsung, iPhone, Pixel and OnePlus. And each of them showed its vulnerabilities, features and unexpected reactions to a malicious SIM.
The first experiment was conducted on a Samsung Galaxy S series. It tested a Java applet that, after turning on the phone, activated the STK menu with the “Update number” button. Everything looked like part of the usual SIM card maintenance. The user, without suspecting anything, entered the number – and the data was immediately sent as an SMS message to a hidden server. Interestingly, Android did not block the event, and the system considered it part of the SIM functionality, without displaying any warnings.
On the iPhone, the result was different. Apple iOS more actively restricts STK commands and Java applets, but SIMURAI allowed us to bypass this by manipulating APDU queues: when the system was started, a certain combination of commands allowed us to activate hidden STK interaction. This was how a menu was implemented that imitated an operator notification about new bonuses. Clicking on it opened an applet that requested a passport or ID card number — a typical phishing scam.
On the Pixel, everything went even more interesting. Google devices provide greater transparency in logs, and this is what made it possible to track how the system communicates with the SIM. It was noticed that even when STK was blocked, some applets could respond to network updates. As a result, a simple but effective attack was implemented: after connecting to the network, the applet read the ICCID and IMSI and sent them via a hidden SMS channel, even without notifying the user.
List of tested scenarios on different phones:
Samsung: launch STK menu → dial number → send via SMS;
iPhone: hidden menu → phishing → request for personal data;
Pixel: automatic call → read IMSI → exfiltration;
OnePlus: SIM update emulation → change STK settings → overwrite items.
OnePlus, in particular, was very vulnerable to the interposer. By modifying the SIM in real time, it was possible to replace the STK request, turning the phone into an “assistant” for collecting data. The menu looked like a request from the operator’s support service, but it was launched directly from a malicious applet.
The conclusion is obvious: there is no “secure” smartphone when the attacker has control over the SIM card. The OS does not expect the SIM to become a Trojan, and therefore even the latest devices are susceptible to this side of the attack. And until a separate check of SIM communications appears in each mobile OS, this channel will remain ideal for phishing, surveillance and identity theft.
At first glance, a SIM card is just a small chip that allows you to connect your smartphone to the network. But in fact, it is a full-fledged computer with its own processor, memory, operating system and even the ability to run applications (applets). And this is where the fun begins: if someone downloads a malicious applet to it, the SIM becomes an invisible point of intrusion — a backdoor that is not visible in the smartphone settings or antiviruses.
The SIMURAI study shows that today the creation, deployment and use of malicious SIM applets can be automated, and therefore turned into a service. The researchers have already implemented a full-fledged concept of SIM as a Service: you download a SIM applet to the system, and it autonomously performs the necessary actions — from collecting IMSI codes to sending malicious commands to the network.
Here’s what a typical life cycle of such an attack looks like:
SIM applet preparation: malicious code is created using the Java Card API;
Download to SIM card: via OTA channel or physically (via adapter);
Activation: SIM launches applet when connecting to the network or after a command from the server;
Execution: applet interacts with the phone, calls STK menu, sends SMS, receives and executes commands;
Removal or sleep mode: after execution, the task is deleted or the applet “sleeps” waiting for new instructions.
This means that an attacker can deploy a network of infected SIM cards that “sleep” until they are launched or until the user crosses a border, inserts a SIM into a phone, or turns on the Internet. And all this without the need for access to the device itself.
Several examples of malicious applets were created as part of the research:
SMS Extractor — an applet that transfers the contents of an SMS to an external number;
SIM Data Controller — allows you to change the ICCID or read identifiers;
Phishing Module — simulates an STK menu that asks for confidential data;
Communication Module — opens a channel to the attacker’s server to receive new commands.
And here it becomes obvious: SIM is no longer a passive participant in the mobile process. It is able to initiate actions, receive instructions, transmit information – and do it imperceptibly for the user. And since it is controlled by a mobile operator or an attacker, SIM becomes inaccessible to classic security tools.
This completely changes the threat model. If previously the main attack channel was applications, Wi-Fi or SMS phishing, now SIM can be not a victim, but a source of attack. That is why the SIMURAI study is important: it shows that SIM as a backdoor is no longer a theory, but a completely real, controllable and massive threat.
To really study attacks on SIM cards, theoretical analysis alone is not enough. You need a platform that allows you to safely create, download and run malicious applets, testing them in the most realistic conditions. And it is such a platform that the authors of the study created – it was called SIMURAI. This tool was a breakthrough in practical SIM security analysis, as it allowed for the first time to fully reproduce and debug the entire attack chain – from writing the code to its launch on a real smartphone.
SIMURAI consists of several components that together form a laboratory for SIM attacks. The main advantage is that it allows not only to simulate, but also to physically implement malicious actions on the SIM with accuracy down to individual commands and hardware responses.
Key features of the platform:
Java Card applet editor with the ability to insert malicious instructions;
OTA download module that emulates the delivery of applets over the network;
Interposer — a special adapter that is installed between the SIM and the phone, allowing you to intercept and modify data in real time;
Logger of STK commands and APDU responses, allowing you to analyze the interaction of the SIM and the device;
Virtual emulator that displays the device’s reaction to the actions of the SIM card.
SIMURAI doesn’t just allow you to “play with applets”, but fully simulates the operation of the mobile operator, the SIM card and the interaction with the phone’s OS. This is extremely important, because it is in this interaction that most vulnerabilities arise – for example, in the way Android or iOS handle STK requests.
An important element was the support for live networks. Through the interposer, the platform could work with a real signal, simulating the behavior of the SIM in the real network of the mobile operator. This allowed, for the first time in the history of cybersecurity, to test a “live” SIM attack on a real smartphone with a real card.
A typical scenario for working with SIMURAI looks like this:
The developer creates an applet in the editor;
The OTA module “sends” it to the SIM (via an interposer or direct download);
The SIM card is activated in the device — for example, an iPhone or Samsung;
The STK command is sent or receives input data;
All events are logged, analyzed, and compared with expected scenarios.
As a result, the researcher gets the most realistic picture that cannot be reproduced by any emulators or simulations. And most importantly, the platform works without root access to the phone, which makes it universal for testing even on protected devices.
SIMURAI showed that the future of mobile security depends not only on the code of applications or firmware, but also on a deep understanding of the invisible components of a smartphone – such as the SIM card. And now that there is such a tool, no one will have the excuse “we didn’t know it was possible”.
For many years, the SIM card remained in the shadows – it was considered simply an authentication tool, “plastic with a code” that does not pose a direct threat. However, the results of the SIMURAI study completely destroyed this myth: today the SIM is a full-fledged attack platform that can operate autonomously, deeply, covertly and for a long time. It has all the components to be not only a communication channel, but also an infiltration point, a backdoor, a spy, and even a control mechanism.
In today’s world, where every user has a smartphone, mobile security can no longer ignore the SIM. The study found:
The SIM card is capable of launching sophisticated attacks at the STK, SMS, OTA and other channel levels.
Java Card applets can be malicious, transmit data, affect device behavior or secretly interact with the network.
Through interposers and real-world tests, attacks were replicated on live networks, including iPhone, Samsung, OnePlus and Pixel.
The SIMURAI platform proved that these attacks are not theory, but fully implemented practice.
All this requires a rethinking of the mobile threat model. It is no longer enough to protect only applications, Wi-Fi or Bluetooth. You need to analyze SIM firmware, monitor OTA communication, verify STK calls and have tools to detect malicious applets.
It is worth understanding that the SIM is a “silent agent” that we all carry with us. It can work independently of the system, in the background, without notifications, without windows and without consent. And that is why it is an ideal tool for espionage, surveillance, remote control.
From now on, no mobile device security assessment will be complete without SIM analysis. The SIMURAI study has set a new standard for the depth and realism of analysis. It has proven that we can no longer afford to underestimate the small card hiding under the tray.
