OK, you say that you've figured out that the attack is via the IMEI. The IMEI is just a static hardware identifier, nothing else. The network will know your IMEI, but if the attacker is inside the network's systems the only thing you can do is tell your service provider they have been compromised and try to convince them that you know what you are talking about (which may not be easy).
Some apps can access phone identity information. If one of those is malicious then it could be passing your IMEI or other information on, but in that case it's not the IMEI that's the vulnerability that allows them access, it's the app that has been installed, and the solution is to identify and remove the app and work out how it got on there so that it doesn't happen again. Most Android malware is of the trojan variety, i.e. involves tricking the user into installing it thinking they are installing something harmless (in many cases it's the app itself that's the malware, in some the app is then able to install malicious content after the user installs it). If your phone is old or rooted then the malware may be able to install itself to the system, requiring a complete reflash to remove it.
There is some very sophisticated surveillance software out there, but these are not generally in the hands of ordinary criminals (e.g. the Pegasus spyware, sold by an Israeli security company supposedly to governments only with strict limitations on what it can be used for, which of course means it was sold to repressive regimes and used to target journalists, activists, political opponents and other countries' politicians). Unless you fall into one of those categories its highly unlikely that you have been targeted by something like that - if you have then "buy a new phone" might be the best advice.