My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


SIM Toolkit (CVE-2015-3843)

Vulnerability in the SIM Application Toolkit (STK) subsystem. It is a set of tools that allows a SIM card to initiate and execute different commands in order to implement additional functions (the mentioned technology is used, for example, to form a SIM menu of the communications service provider). Vulnerability CVE-2015-3843, which is detected in Android 5.1 and earlier, allows cybercriminals to intercept and emulate SIM commands. It can be used, for example, to create fake windows during a confirmation of financial transactions.

Dr.Web Anti-virus for Android detects and removes malicious applications that use the CVE-2015-3843 vulnerability, even on attempt to install them on the attacked device, so users of Dr.Web Anti-virus are effectively protected from such Trojans.

Technical details

Vulnerability in SIM Application Toolkit (STK), which is a part of a standard Android framework, allows to intercept commands sent by the SIM card to the device. The malicious program can create the Parcelable object and then send it to the class The class does not check the sender, and the action android.intent.action.stk.command is not indicated in the manifest file as a protected message, so cybercriminals get the opportunity to emulate sending of SIM card commands.

For example, when making a transaction with a mobile banking application, the SIM card asks for confirmation of the operation by displaying a message with buttons “OK” and “Cancel”. Via the action android.intent.action.stk.command, cybercriminal can create a fake window with an arbitrary text and display it a moment earlier than the SIM card generates the original message. Thus, the user will not see the original text until they click one of the offered buttons. If they click “OK”, method sendResponse() with the flag “true” will be called. As the result, the SIM card, which waits for user actions, will receive the command “OK”. This command will be proceeded as one received from the original dialog box.

See also information about other vulnerabilities