All you need is a routine in the radio firmware that recognizes a specific signal and either turns off the radio or flood the towers with traffic. Better yet - request instructions from a server and deploy resources according to the plans they get - communications meltdown, massive DDoS on critical services, you name it.
And since it's in the radio controller, it's pretty much hidden from view. You can root your Android phone or jailbreak your iPhone all you want, the radio controller is pretty much a separate computer.
On the other hand, subverting Google's own official 'kill-switch' at a later date could be the work of a lone vandal or disgruntled employee, and reflects more negatively on Google than manufacturers.
(BTW, I have nothing against Chinese hackers specifically; they're just a usefully vivid example from recent events. The same observation goes for any person or entity that gets momentary control of the official platform-wide revocation mechanism. Its mere existence, for either the iOS or Android ecosystems, makes it a super-juicy target for evildoers.)
Only if they are discovered.
You can hide the firmware in ways not even the "official" firmware can access and only a mask inspection would show you have a small amount of ROM where none was supposed to be (or twice as much as you state in the chip specs). If I were paranoid, I would be seriously investigating whether such a plan could be actually conducted - how many processes would have to be compromised and how many people would have to be involved to introduce a feature like this in, say, a popular cellphone radio controller. Can we vouch for the integrity of the hardware/software stack in the towers themselves for not having any backdoor/sleeper code or logic?
Again, I don't imagine this as being the work of gangs, but of governments. It's like having your communications blocked as soon as tanks cross the borders and planes start dropping bombs. It's a very nasty scenario.