If you buy a cheap Chinese thermal camera for your smartphone and install the app, the app will request a boatload of security permissions. It will requests permissions to access your location, to act as an Account Authenticator for the Account Manager, to request authorization tokens from the Account Manager, to read access of your phone state, including the current cellular network information, phone number, the status of any ongoing calls, and a list of any Phone Accounts registered on the device, to start automatically when the device boots up, to initiate a phone call without going through the Dialer user interface for the user to confirm the call, to read the low-level system log files, which can contain your private information, to create windows intended for system-level interaction with the user, to mount and unmount file systems for removable storage, to read or write the system settings, to get information about the currently or recently running tasks, to access information about Wi-Fi networks, to change Wi-Fi connectivity state, to receive a broadcast when the screen is on or has been unlocked, to keep processor from sleeping or screen from dimming, to change network connectivity state, to write to external storage, to perform Mobile Device Management tasks, a permission that is typically used by system apps or device policy management apps, and more. You might think that all the app would do is show you what the camera sees, but no.
Oh, but this article has more. It shows how this was figured out, using a tool called JADX, a "Dex to Java decompiler", and Ghidra. By "Dex to Java decompiler", they mean it goes from Dalvik bytecode to Java code from APK, dex, aar, aab, and zip files. Dalvik is the virtual machine on Android phones. Well, Dalvik used to be the virtual machine on Android phones, but a newer, better virtual machine has been invented, but Dalvik is still the format used for the files that are used to distribute Android apps (which is what those file extensions mentioned are about).
Not everything neatly decompiled with JADX, which is where Ghidra comes in. Ghidra is a full-fledged reverse engineering tool developed by the NSA. Yes, the NSA.
Interestingly the device identifies itself as "Cypress Semiconductor Corp Cino FuzzyScan F760-B". Cypress Semiconductor Corporation was acquired by Infineon in 2020 and no longer exists as a separate corporation. I guess that doesn't stop other people from using its device driver.
To top it all off, this article even includes a teardown of the device itself.
Hacking the T2S+ out of fear: Get lock-in thermography for free