Spyware and hacking tools will always be glitchier and function more unpredictably than commercially available code.
This is my conclusion based on my experience and my reading on these matters since about mid 2014.
Spyware/hacking tools do not usually undergo development by dozens of in-house software engineers. Spyware and hacking tool code are unlikely to go through any extensive auditing process. Obviously spyware/hacking tools can't be widely beta tested before use either, since knowledge of even the existence of a surveillance tool must be limited to avoid leaks.
Apps and operating systems are updated regularly with new code. New types of apps are developed. Both increase the risk of spyware edge cases. Spyware rarely if ever gets a chance to mature. Phone spyware is discovered by the end user or by some other method eventually. At that point usually at least parts of the code have to be replaced due to countermeasures.
A “hacker” even a government one is invariably working at least in part with some immature and poorly tested code, at least from the commercial software development perspective. This poorly tested code or parts of code that had to be changed after it's last signature was discovered not infrequently behaves like an app in early beta testing or sometimes even a nightly.
Due to the lack of extensive code auditing and beta testing, spyware/hacking tools will be prone to a greater number of edge cases which alerts the target, that is, if said target decides to look. You can't rely on passive defense. You gotta patrol your perimeter.
Edge cases or other oddities that are often more subtle or seem completely unrelated are more common in malware/spyware infected phones and in midpoint intrusion. You are very likely in my opinion to see all sorts of oddities at some point while under surveillance by an APT. The more widely you use your phone with phone data and WiFi, the more likely you are to find them. Edge cases and other types of breadcrumbs are all around.
Yogi Berra says you can see a lot by looking. NSO is not the threat that click bait links make it out to be. If you know you are in a high risk group you can see them eventually. Some anomaly of functioning will cause a high risk individual to wrap that phone in 20 million layers of aluminum foil and find a way to get it to Citizen Lab or Amnesty International. Explain what you saw. I think they may have some experience with reporters contacting them so they have a good idea if they may find something or not based on your description of glitches and other oddities.
The more ambitious the spyware (for example having the capacity to look at all data on the phone and manipulate various apps, take photos or Livestream, or turn on the microphone or Google Texts To Speech) then the more likely a suspicious anomaly will pop up at some point.
A hacker runs a risk of discovery each time he or she uses their code, whether it is an ordinary criminal trying to steal credit cards or an APT wanting to get to know someone better. The more hacking and surveillance attempted the more likely one of those attempts is spotted.
The risk of spyware/hacking tool discovery also increases based on the quantity of data the hacker attempts to access. Attempts to access larger amounts of data, either at rest or in motion, increase the risk of discovery.
Attribution should be fairly easy even if your APT doesn’t leave a calling card (or they counterfeit another APT's calling card). What risk category are you? Have you been breaking any laws or “conspiring” with others to do so? Have you angered your national tyrant somehow? Are you part of the political opposition, an activist, a journalist, an ordinary criminal, a person with a valuable body of knowledge or have access to a valuable database?
You don't need an APT fingerprint nor do you need any technical knowledge for attribution in many cases, just common sense.