Last year, I worked on reverse engineering Android implementations of IMS, the next generation 4G IP based telephony suite of protocols, with Jethro Beekman at Berkeley.
In addition to our technical report on MITM vulnerabilities against T-Mobile's Wi-Fi Calling feature (due to unvalidated SSL certificates), we continued to look at IMS systems in general, and how T-Mobile and Android implemented them. We found that, amongst other things, Digest AKAv1, the authentication and key exchange protocol used in IMS, doesn't correctly require use of the generated secret keys, allowing a variety of attacks. Furthermore, generally accessible APIs in both core Android and in T-Mobile's customized ROMs allow apps with just the READ_PHONE_STATE permission to access the IMS authentication routines in the SIM card, making it possible for low-privilege malware on a phone to let a remote attacker authenticate as that phone.

A simple example of why you might care: An attacker can pretend to be you (your number, your subscriber ID, your phone) and call premium 1-900 numbers or send text premium text messages, costing you real money.

Jethro presented our paper at USENIX WOOT (Workshop On Offensive Technologies) 2013 a couple weeks ago. The paper, slides, and video of the talk (thank you USENIX open access policies!) are available at https://www.usenix.org/conference/woot13/breaking-cell-phone-authentication-vulnerabilities-aka-ims-and-android.