Many free "utility" apps, such as flashlights or system cleaners, can be the culprits. Users often grant them broad permissions without a second thought. These apps then access contacts, location, and photos, which are unrelated to their stated function. This data is frequently sold to data brokers without the user's explicit knowledge.
Flashlights apps are oddly enough frequent offenders that the average user does not give a second thought. Hundreds of apps are the ones that I have audited, and these apparently harmless tools often demand permissions that have nothing to do with turning on your LED camera. This is how it works: You get a free flashlight app, and within the permission requests you will have such items as permission to see your contacts, permission to see your location, even permission to use your microphone. Majority of the users simply tap and click on the allow all button without reading. This data is subsequently scanned by the application and sold to advertisement networks or data brokers. I did an experiment a few years ago with one of the popular flashlight apps which was pinging the location servers every 3 minutes, although the flashlight was not in use. The horror of the business model is the scariest. These applications are not expensive since your information is the commodity. They will gather all your web history, including your day to day routines, the physical activities. Others also develop elaborate profiles which are sold to third parties to be targeted with advertisement or even worse. My policy: when an application asks the permission to do something that is not in line with its aim, go ahead and uninstall it straight away. Android has an inbuilt flashlight which is fully operational and even does not require permissions.
Here's the thing about those free photo editing apps, they're sneaky. From my time building products at Meta, I learned the real problems hide in the background. Those apps upload your pictures and metadata to their servers without you really noticing. Stick with brands you know and actually look at how they handle your data.