Is it possible to get a sim card virus?
Can a SIM card propagate malware? What will happen when I insert the SIM card in another phone?
An article I was reading had the following lines - A sim card virus is a type of ransomware that encrypts files on your SIM card, making them impossible to access. It requires you to pay (usually via bitcoin) for the decryption key in order to regain access. Typically it will be indicated as coming from an email address with information about how much was paid and what they got in return so far.
I think the answer to the question of having a sim card virus is a "qualified yes", with the qualification being that if we're talking strictly about viruses, it's not a terribly effective attack vector. The answer to "are you likely to propagate a third-party virus by using a sim card on multiple phones?" would be "No, it's not particularly likely" even if there's a slim technical possibility. It's just not an effective way to transport a virus - most people put a sim card in their phone and it stays there until they replace the phone, when they get a new sim card. If we're talking more broadly about malware, though, the nature of the question shifts from thoughts of script kiddies and adware to state actors, non-state asymmetric warfare, industrial espionage, etc.
In that case, the answer is an unqualified "absolutely." There's even a defcon paper that touches on the subject:The Secret Life of Sim Cards (though it is a bit dated, and deals with a specific subset of sim cards) In short, though, SIM cards aren't just little memory cards. They are very tiny self-contained computers. They can, themselves, run malware. While you may have data stored and encrypted on the phone itself that the SIM may never be able to access, the same is not necessarily true of the data you transfer, the numbers you call, the content of your SMS and MMS messages or even the content of the phone calls themselves. This particular article - Foreign tourists arriving in India with e-visas to get free SIM cards - was what led me to poke around on Stack Exchange Security and elsewhere this morning, to see if there had been recent work in this area. I haven't found anything public yet, except older work that I was already familiar with.
While what India is doing is damned convenient for travelers, it reeks of intelligence gathering. A couple key issues: These SIM cards are given to visitors that they're able to identify in advance. They provide this service through a state-owned telecommunications company (BSNL) There is ample opportunity for those particular SIM cards to be loaded with custom malware or even to be manufactured to accommodate larger than usual payloads. It doesn't have to do it via infection, it can do it at the source. So they're 100% vulnerable at that level - and that's where all of your device authentication takes place, where your private keys are stored for secure network transactions, etc. Pakistan's ISI intelligence agency is notoriously alleged to have extensively hacked BSNL databases by installing spyware on their internal networks - just to indicate the potential for abuse and the range of places where intrusion could come from.