The possibility to do this? Sure, without a doubt it exists, there are much worse POCs out there tbh. Doing it against common joe? No need. Phone companies can be pretty devious in all honesty and are required to follow the law (and therefore intercept requests) just like all other businesses but this method is just not efficient enough.
The cases that come to public of this happening are usually cases of intercept rather than piccies. Taking a picture would tell you the device location & user but it's a illogical method when you compare it to GPS/cell trig and call tapping. As anyone who has tried it will attest to - you are behind a huge NAT on most network plans, an easy point where your packets can be sniffed.
The best example of FBI intercept is
here. A nextel phone had a firmware change (it was in 2006, no need for apps here) which enabled the sleep mode of the phone to start a one way call on demand. Genius considering the challenges they faced 7 years ago. The other problem with on device intercept is that you can only hide it for so long - network intercept is virtually impossible to spot but on devices these days you run the risk of a clever person uncovering it.