Can a SIM card propagate malware?
Is it possible that malware can infect a SIM card? What will happen when I insert the SIM card in another phone?
Related, but not duplicate: http://security.stackexchange.com/questions/77532/sim-card-malware-advice
Practically: The use case for this is too small to be worth the effort.
Lets do a very theoretical excursus on how this could be possible:
In theory, every computer communicating with other devices is vulnerable. This is simply due to the fact that interpreting communicated signals always leaves room for error. If such an error is exploitable a virus could infect a SIM card.
Lets assume the SIM card has been infected; the virus took full control of it. When the SIM card is inserted in another phone the same principle applies: simply because the phone is communicating with the SIM card the phone exposes its vulnerabilities. Thus the SIM card could re-infect other phones.
Back to the real world again:
A virus with the capabilities to infect a wide variety of phones would by far exceed the storage space of any SIM card ever manufactured with good intentions. SIM card manufacturers do (to my best knowledge) not publish documentation on their SIM cards internals. I am very sure that exploitable bugs exist in SIM card software. However, finding those is close to impossible imho (due to the concealment of documentation).
Not entirely accurate because a UICC enabled with GlobalPlatform can cause a device to pull down malicious logic in a very similar way as a malware stager.
so i think my phone got a virus from someone on kik and, I did factory reset it but the images and videos were somehow restored so I have my doubts that the virus still exists...although im not sure. I am getting another phone for a different reason and am going to use my current SIM there, so I guess if there is a virus, it wont affect my SIM/new phone.. :)
@martianCactus I think they got restored because Kik keeps that stuff on their servers and its linked to your account. And no - your new phone wont be affected unless your are targeted by a government...
I think the answer that everyone is giving so far is a "qualified yes", with the qualification being that if we're talking strictly about viruses, it's not a terribly effective attack vector.
The answer to "are you likely to propagate a third-party virus by using a sim card on multiple phones?" would be "No, it's not particularly likely" even if there's a slim technical possibility. It's just not an effective way to transport a virus - most people put a sim card in their phone and it stays there until they replace the phone, when they get a new sim card.
If we're talking more broadly about malware, though, the nature of the question shifts from thoughts of script kiddies and adware to state actors, non-state asymmetric warfare, industrial espionage, etc.
In that case, the answer is an unqualified "absolutely."
There's even a defcon paper that touches on the subject:The Secret Life of Sim Cards (though it is a bit dated, and deals with a specific subset of sim cards)
In short, though, SIM cards aren't just little memory cards. They are very tiny self-contained computers. They can, themselves, run malware. While you may have data stored and encrypted on the phone itself that the SIM may never be able to access, the same is not necessarily true of the data you transfer, the numbers you call, the content of your SMS and MMS messages or even the content of the phone calls themselves.
This particular article - Foreign tourists arriving in India with e-visas to get free SIM cards - was what led me to poke around on Stack Exchange Security and elsewhere this morning, to see if there had been recent work in this area. I haven't found anything public yet, except older work that I was already familiar with.
While what India is doing is damned convenient for travelers, it reeks of intelligence gathering. A couple key issues:
- These SIM cards are given to visitors that they're able to identify in advance.
- They provide this service through a state-owned telecommunications company (BSNL)
There is ample opportunity for those particular SIM cards to be loaded with custom malware or even to be manufactured to accommodate larger than usual payloads. It doesn't have to do it via infection, it can do it at the source.
So they're 100% vulnerable at that level - and that's where all of your device authentication takes place, where your private keys are stored for secure network transactions, etc. Pakistan's ISI intelligence agency is notoriously alleged to have extensively hacked BSNL databases by installing spyware on their internal networks - just to indicate the potential for abuse and the range of places where intrusion could come from.
`While what India is doing is damned convenient for travelers, it reeks of intelligence gathering` it feels a little paranoid. Besides location tracking (the thing that is available to **any carrier**), what else info India can get with this step? Phone contacts? He also have access if you call them in their cell network, just via billing.
A malware in the UICC must be a small file.
However, as mentioned by atdre, the malware can act as a stager. In all the UICC (I'm not so sure about old ones) the card can instruct the phone to open a URL in a browser (and do other commands which called proactive commands).
For your question - if you'll switch the card to other phone it can be infected automatically on boot. It depends of the executed code and actions.