A popular attack these days is usage of fake roaming requests. They require nothing except knowledge of your IMEI, and IMEIs can be bought bulk online from android app devs.
That's how British MPs were, allegedly, pwned en masse in 2016
Are you sure you're not mixing up IMEI (identifiers of hardware handsets and end devices, can be often reflashed), with IMSI (identifiers on the SIM, and therefore the number and subscription associated with the SIM (simplified description)) ?
You don't need to "buy", but you need to FIND, the IMSI of the target you're going to do fake roaming (fake Location Update) request on. This is most of the time doable.
That's how British MPs were, allegedly, pwned en masse in 2016