malware – Is it possible for someone to spy on an Android phone without using spying apps?

I assume that by saying “spy apps” you are talking about a specific type of paid apps.
Well even those non-paid apps or even self-developed ones can spy on your phone due to the fact that your phone is generally not protected by Anti-virus solutions, so any amateur can create a remote access trojan (RAT) and spy on you.

Now, how can someone install this rat on your phone?

Physically: in 2 minutes he can disable Google Play Protect, and download and install his rat

Remotely: via social engineering techniques (such as spear phishing)
or via an advanced technique called Zero-click attack