Supposed Android "Security Breach" That Sounds Impossible

So I came across this article:

http://www.fastcompany.com/3023042/fast-feed/this-popular-flashlight-app-has-been-secretly-your-sharing-location-and-device-id

It basically talks about Brightest Flashlight app accessing your location data and device ID without the user's knowledge (even if the user opts out). Supposedly the FCC is fining these guys for doing it.

But, what I want to know, is how this could even be possible. Android asks the user to specifically grant permissions to an application when installed. How is it that this app could possibly track the user's location unless the user specifically authorized the application to do so?

Did the app developer exploit some kind of Android defect that has since been fixed? Are they doing something to dupe users who don't know better when granting permissions. Anybody know what the deal is here with the Brightest Flashlight app? Reading the linked article above, there are no technical details on it -- jus the sensationalism of an "Android Security Breach".