I think this is entirely plausible, and does not require physical access to the phone, nor an hour to install, and possibly no cooperation from the target.
The great big giant thing a spying app like that will require is an exploitable vulnerability in the phone, which allows the app to behave in the way described. Such vulnerabilities, both known and unknown, certainly exist today. There have in the past been remote exploits of phones, and there will be again in the future.
So, the sequence of events needs to be something along the line of the PI calling a company that sells such spying software and saying, “The target has a Galaxy S7 with the phone number…” The hacking company, after receiving a large payment, initiates a remote exploit on the phone, and uploads their software. The software then installs itself, uses the same or other exploits to gain elevated privileges, and begins running in the background.
There are cheaper options available today, which mostly are just spying apps that *do *have to be manually installed. Modern versions of Android and IOS will require setting permissions for some of the listed activities, and some of them may be blocked completely. For example, beginning with Android 9 Pie, regular apps will not be able to record phone calls.
Obviously always running software isn’t without consequences. It will almost certainly impact battery life, and may use enough data to be noticeable, though probably not if it is just sending audio, text, and location data.
Many phones have multiple microphones, some of which are designed to listen to ambient sounds. For example, I just set my phone across the room, and in a normal speaking voice I could say “OK Google” and interact with it. Which means, for at least while I temporarily enabled the feature, my phone is in fact listening to all conversations all of the time.
As has been observed many, many times. Smartphones are remarkably complete surveillance devices, which can be used for both good and evil. I really like to have my phone tell me at 3pm, “leave by 3:20 to make your 4pm appointment.” To do that it needs to read my calendar, know my location, and be aware of traffic conditions between where I am and my appointment. I’m not paranoid enough to trade that convenience for complete privacy. I am sure that AT&T, Samsung, Google, Tesla, State Farm, and perhaps others know where my phone is at all times. If AT&T knows, then so does the US government or any law enforcement agency that cares.