Cripes, what a breathlessly clueless article. This has fuck all to do with "Android security": the towers are MITMing GSM, and the tech to do this has been around in some form since 2003.
Slate reported last year that IMSI catchers or similar technologies were "in the hands of the feds since about 1995 [...] widely deployed since the mid '90s".
Wikipedia does suggest it was "first commercialized" from 2003, but that doesn't mean that the technology wasn't around even earlier. (Ross Anderson has referred to interference from governments in the security design of GSM, and the possibility of fake towers could well have been one of several things those responsible for the interference had in mind.)
We've been invited to collaborate with that project in some way (and it "aims to be recommended by" EFF in the future), but I'm not aware of any announced collaboration between AIMSICD and EFF so far.
Interesting question, perhaps the best way to figure out who owns these would be to destroy one and set up a camera trap to see who comes out to fix it. I'm sure that with a little creativity it would be possible to 'fake' a fault (my favorite being the apocryphal tale of shooting frozen pigeons out of an air cannon to knock microwave towers out of alignment).
Those are just stingrays though, right? It's unclear as the article says towers but doesn't say whether anyone has actually seen a tower, only that they've detected attacks through their secure android phones.
If this is just a report of stingray use it should come as no surprise that they are in widespread use & that non-targeted phones latch on to the signals.
But it has 468 vulnerabilities patched! I wonder how they inflated this number. I'd bet a lot of it comes from Samsung customizations, meaning you get pretty good protection just by flashing an Android build that's closer to Google releases. Also, if there are serious vulnerabilities among that number, it's a bit disappointing that they took an open-source project (well, such as Android is) and horde their fixes under this license.[1] It sounds like they don't even permit you to flash your own build ("to compile it solely for the purpose of comparing the compiled version to the binary code provided by GSMK")
Christ Popsci is a terrible site to try and use from Australia. Trying to access any URL just gives a lazy redirect to the front page of popsci.com.au, with the helpful error message "Oops! Something went wrong. Please scroll down to find your content."
Important questions that should be put to Apple and Google loudly and frequently: Why don't we have baseband transparency to know what our phones are connected to? Why don't we have baseband firewalls?
https://en.wikipedia.org/wiki/IMSI-catcher
https://en.wikipedia.org/wiki/Stingray_phone_tracker