This was driven home to me many years ago when I popped a SIM from a Mexican carrier that had an embedded Dominos Pizza app on it. Suddenly the Windows Mobile phone I was testing had a new icon on it.
Maybe, but you'd be surprised what kinds of SIM application toolkit based products there are in the world. These are actually running on the SIM, with your phone only proxying input/output!
For example in many African countries, you have M-Pesa [1], which was at least initially entirely based on SAT.
Is it still a backdoor if it is publicly documented?
Also, the API is somewhat limited. "Installing applications" here means "downloading code to the SIM card", which arguably has always been the phone provider's property.
It's definitely not possible to install apps on the application processor OS via SIM-OTA. That would be OS-based carrier profiles, which the OS vendor has deliberately implemented.
Not really updated, but new applications can be remotely installed and then interact with the baseband and (to a limited extent) the smartphone OS.
It‘s not "any entity", though – the provider’s keys are needed to do this, and they can already do much of that tracking using other, network-side means.
They could (using a setup like the one in the article), but the payload is usually encrypted in addition to being authenticated, and such OTA updates are done for legitimate reasons all the time.
