Can fake mobile cell tower install an app on the phone?

Question

Android-IMSI-Catcher-Detector [1] claims to prevent silent app installation through GTalkService, in this issue [2] from 2014. However I can't find any other source confirming this is possible. So is it probable to force remote install with fake cell tower? How about permissions of the app installed that way, would data be compromised? Would phone factory reset remove software installed that way?[1] https://cellularprivacy.github.io/Android-IMSI-Catcher-Detector/[2] https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector/issues/151NB: Android-IMSI-Catcher has been removed from F-Droid and Aptoide for some reason.

LarsAlereon · Accepted Answer

No, that's the mechanism Google used to install apps, a fake cell tower wouldn't be able to impersonate Google because they don't have Google's private keys. Also, looking at nearly 10 year old information is not helpful for understanding how Android works today.

salawat · Answer

The baseband processor in a cellular phone has full DMA access to the system. So yes, backend initiated software install with no notification to the end user is absolutely a valid point to represent in a threat model.Rule of thumb for cellular phones: they are not your computer at the end pf the day. Between manufacturer collusion with Telcos, and legally mandated collusion between Telcos & Government, your phone exposes a small enclave of purported privacy that no one will attempt to look at (until they do); the rest of the system is essentially shared in management between user installed applications and stuff done in the background by the service provider.

kosasbest · Answer

Assume the base-band is compromised. No such thing as a 'secure' phone these days. Assume an always-on wiretap scenario.