The shadowy world of phone-surveillance-for-hire became a little clearer last week following the discovery of a phone exploit called Simjacker.

The exploit, discovered by mobile carrier security company ActiveMobile Security, allows attackers to remotely exploit a phone simply by sending a text message. From the report:

The main Simjacker attack involves an SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM Card within the phone to ‘take over’ the mobile phone to retrieve and perform sensitive commands.

The message won’t even display to the user, it said. Furthermore, because the attack is independent of phone brand, around a billion phone users are vulnerable.

AdaptiveMobile Security found people using the exploit, which researchers speculated about as far back as 2011. In a report on the technology, the company said:

We believe this vulnerability has been exploited for at least the last two years by a highly sophisticated attacker group.

The attack works using a legacy browser technology embedded in the SIM card on many mobile phones. Called the [email protected] Browser, it is normally used for browsing through the phone’s SIM card, but it can also receive specially crafted messages sent by the carrier network. These are not regular messages; they’re binary code, used to process special instructions.

The browser was normally used to send things like promotional messages but the attackers used it to process invisible requests for the phone’s location data and its International Mobile Equipment Identity (IMEI), which is an ID unique to every mobile phone. They’d send a message to the [email protected] browser asking it for this information, which it would then retrieve and store on the SIM card. The attacker could then retrieve it by sending another message.