I know little to nothing about android, but it seems like even if we assume CMG code is in (say) all of Facebook’s iOS apps, each one needs permission to use the camera and microphone so if you deny that permission what CMG claims would be impossible. And while Apple certainly has a spotty record in enforcing App Store rules, I feel like they’ve got a lot riding on being absolutely certain that FB and Google and Amazon apps aren’t violating those rules because those are going to be on every researcher’s list of apps to test for privacy compliance.
I also don’t know the laws in India, but in the US nearly every major “hacking” case for decades has been a miscarriage of justice to some degree or another.
Like Kevin Mitnick who simply figured out that a major early ISP was keeping customer payment information in plaintext on an internet-connected server.