We can never say never, as there could be a vulnerability we don't know about, but there is currently no known way for a fake MEW to compromise a Ledger device.

At most, a fake or malicious software wallet can push a malicious transaction to the hardware wallet. That transaction will only be signed and broadcast if the user presses the physical buttons on the Ledger device required to accept it. If the user rejects the transaction, then it cannot be signed and cannot be broadcast.

In terms of the recently discovered Ledger exploit - if there was a similar exploit for Ethereum and ERC20 tokens, then theoretically someone trying to transfer Ethereum or a token to an address could be tricked in to also transferring some other token to that address. There is, however, currently no known exploit which could achieve this.