I reverse engineered what this does in practice on pinephone modem (Quectel EG25G), for example, and there are pre-compiled binaries there for tmobile and vodafone that process their particular OMA DM flavors, download some configuration and code from internet and run it under root on the modem's SoC ARM CPU. (that's still isolated over USB from the main pinephone SoC, but obviously not good) It's also thankfully disabled by default, but if you google for oma dm android, you get reports of this protocol being used still.
Whatever it does on regular Android phone depends on how well it is implemented on android. Regular phones don't have two almost-isolated SoCs like pinephone, so oma dm client would probably run on the main SoC, and all depends on how secure that binary blob is or what it does/allows the operator to do.
Quectel software is a bit of a turd, so I woudln't take from this that operators can run random code they make the device download under root user, using this protocol. Most proprietary software like this is pretty shit, so I wouldn't feel warm and fuzzy safe on random Android device either.
Can one use pinephones to collect these blobs, and then try to run them on Android simulator or whatever for more specific knowledge about operators' practices?
I was about to say it might be through the carriers. I put a Verizon sim in my phone and I got a bunch of BS apps installed on my phone a few days later.
I reverse engineered what this does in practice on pinephone modem (Quectel EG25G), for example, and there are pre-compiled binaries there for tmobile and vodafone that process their particular OMA DM flavors, download some configuration and code from internet and run it under root on the modem's SoC ARM CPU. (that's still isolated over USB from the main pinephone SoC, but obviously not good) It's also thankfully disabled by default, but if you google for oma dm android, you get reports of this protocol being used still.
Whatever it does on regular Android phone depends on how well it is implemented on android. Regular phones don't have two almost-isolated SoCs like pinephone, so oma dm client would probably run on the main SoC, and all depends on how secure that binary blob is or what it does/allows the operator to do.
Quectel software is a bit of a turd, so I woudln't take from this that operators can run random code they make the device download under root user, using this protocol. Most proprietary software like this is pretty shit, so I wouldn't feel warm and fuzzy safe on random Android device either.