My understanding is that they rely primarily on the IP packet TTL. If you're tethering, each packet will have a TTL one lower than if the phone was the originating node.
I know that at one points some carriers used DPI to check for patterns that indicate non-mobile use (connections to things like Windows Update, for instance).
I know that at one points some carriers used DPI to check for patterns that indicate non-mobile use (connections to things like Windows Update, for instance).