It is rather sad how porous Android OS is, and modern mobile operating systems are in general. Researchers have found over 1,000 Android apps that steal your data even when you denied them permission to access that information.
How does it work? Pretty much like when you lock your door to keep intruders out, but they climb to your roof and get in through an attic window.
Researchers from the International Computer Science Institute (ICSI) looked at almost 90,000 apps from the Google Play store, tracking how data transferred from the apps when they were denied permissions. They found 1,325 Android apps violating permissions by using workarounds hidden in its code that would take personal data from sources like Wi-Fi connections and metadata stored in photos.
As an example, you install an app, deny it permission from accessing your location info, but the app snoops around your photos and extracts location info from those photos. If the door is shut, use a window. Classic breaking and entering trick.
Some other apps steal your personal data from the apps that you have granted access to them. Yes; if they can’t get it directly from you, they’d get if from someone who has been trusted with it. Smart. And crooked.
There are other ways that privacy circumvention happens. User privacy is a mess, whether you use an iPhone or an Android phone. But on Android OS in particular, it is a sticky, hot mess.
Google has been notified of this issue and they say it will be fixed in Android Q.
You can read the report: 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System (PDF).