So far the nicest attack of the mentioned type I heard about, that happened in the wild and was missing any consent,(1) was hiding complete GPS trackers with batteries in 1:24 toy car models. A fake company has been created and the cars were given out as branded gifts to participants of illegal car races. The attack was discovered after a kid of one of the victims disassembled the toy. The attack was performed by people lacking any skill in electronics, using just the cheapest things bought on the internet.
This should explain to many, why some people are so concerned about running unauditable software or being forced to run any specific software at all on their computers; or having electronic devices being planted in their homes. It’s not about suspecting any particular vendor of malicious intent. But with how cheap and easy it is, and how many of such programs/devices end up in a context that should remain private, it’s not a matter of “if” but “when”. With “when” being very short in 2021.
____
(1) Even a consent a victim would be unaware of, because they don’t read or understand agreements.