App security company Checkmarx found vulnerabilities that enabled them to take pictures and videos, at any time, using the Google and Samsung camera apps. In order to be able to do this they needed to get a rogue app onto the device and get the phone user to grant that app storage permission. Checkmarx created a weather app which had the necessary functions to allow them to use this exploit and uploaded it to the Google Play Store.
Checkmarx could record calls, and if the camera app had location permission, locate the phone.
This has been fixed in recent android security updates, and updates to the camera apps. Phone users are advised to make sure their phones and software are regularly updated. https://www.checkmarx.com/blog/how-attackers-could-hijack-your-android-camera#