I assume that by saying “spy apps” you are talking about a specific type of paid apps.
Well even those non-paid apps or even self-developed ones can spy on your phone due to the fact that your phone is generally not protected by Anti-virus solutions, so any amateur can create a remote access trojan (RAT) and spy on you.
Now, how can someone install this rat on your phone?
Physically: in 2 minutes he can disable Google Play Protect, and download and install his rat
Remotely: via social engineering techniques (such as spear phishing)
or via an advanced technique called Zero-click attack