It seems like a terrible security model to "trust whatever cell site is in range." Are there any alternatives to this state of affairs?
For example, can your carrier supply you with a whitelist of their towers and then ignore everything else? Or the legitimacy of each tower could be signed cryptographically by the cell providers? Of course you have to trust the security infrastructure of your cell provider, but that seems slightly better than just trusting everything by default. (Disclaimer, I know nothing about cellular infrastructure...)
There is an Android app called IMSI-Catcher Detector[0] that is supposed to help you detect when you're connected to a stingray-type device. I ran it for around a year and it never once picked up on anything. I'm not involved on the project and can't personally say if it will catch anything or not, but it is open source[1].
[0] https://cellularprivacy.github.io/Android-IMSI-Catcher-Detec...
[1] https://github.com/CellularPrivacy/Android-IMSI-Catcher-Dete...