Phone Number Appears to Have Been Temporarily Hijacked

Question

What Happened:

• At 8:40am Telegram sends me a login code via the Telegram desktop app.
• At 8:44am Telegram informs me that someone has logged into my account via ip address #1 (appears to be PIA vpn)
• I immediately go and revoke access and begin the process of setting
  up 2fa with a password.
• At 8:45am Telegram sends me a login code via the Telegram desktop app.
• At 8:46am Telegram sends me a login code via the Telegram desktop app. Somewhere around this time I disable wifi on my phone and notice that my phone is not connecting to the mobile internet.
• At 8:48am Telegram informs me that someone has logged into my account via ip address #1
• At 8:48am Telegram informs me that someone has logged into my account via ip address #2

• I revoke access to both.

• I finish setting up 2fa.

• I restart my phone, my mobile internet is back and I get 2 smses informing me that my MMS and WAP Service Settings have arrived. These settings appear legitimate.

Other Important Info:

• My phone company says no one has contacted them / no settings were altered on their end. They haven't been much help otherwise.
• My sms log on the phone company's website show two smses received from Telegram that I never saw and never arrived at my phone. I know this is Telegram's number because I went through the process of logging into Telegram's web interface.
• No strange apps have sms access permissions on the phone.
• Anti-virus apps show nothing.
• Galaxy S8+, up to date, not rooted
• No other attacks, no other accounts appears to have been compromised.

Questions:

1. Have any attacks like this been reported before? (can't find any)
2. What else can I do to try to figure out what happened?

I realize that it's also likely that my phone is owned or that there is a telegram exploit. Any other information would be helpful.

Answer 1

1. Have any attacks like this been reported before? (can't find any)

Sim card 'hijacking' is possible, a PAC code can be used when transferring a current number to a different existing network. However, when transferring the current number to another sim card (same network), this can be a speedy process. Linus Tech Tips experienced this type of hijacking.

Although, this would involve the old sim card being deactivated, for security purposes. So this sounds less viable given what you described.

2. What else can I do to try to figure out what happened?

Samsung Galaxy S8's were shipped with Android 8.0 and above. So sandboxing was introduced by then. Review all installed apps that have SMS permissions, or any permissions that could elevate, control and make phone calls and/or read SMS.

Less likely, but your version of Android could contain an exploit, review CVEs for your Android version. Which may have provided an attack vector to access your SMS messages. With rooting an Android device, we only know because the modified kernel does not have signed code. However, if a vulnerability was identified which allowed a jailbreak, privilege escalation could occur without the user's knowledge. Although, this is merely speculation, and it's particularly unlikely you are running some type of spyware.