By default android takes an all or nothing approach, it tells you what permissions the app wants, and you decide if you want to install it or not. There are however 3rd party solutions for rooted phones which allow you to deny specific permissions and these work well (for example I told my weather app that it didn't need permission to vibrate the phone, I'm capable of deciding when I want to look at the weather). The problem here is two fold though:
1) you can allow or deny, but you can't fake, which means if an app decides not to run without reading your contact list to show you the weather, you can't show it a blank contact list to trick it in to running, I think you should.
2) and this one is more important. Accessing arbitrary files all over the internal file system (such as what VAC is doing in this case) is not considered a permission, it's allowed by default, and is not one of the things you can block, or even see if the app needs.
This is ridiculous. I could deny every permission in android, and a program like VAC could still read my DNS cache. Now I could stop it from contacting the internet, but obviously that's something I want an online game to be able to do. So even the most "advanced" OSs we have today in this area, STILL don't stop apps from accessing random files that they have no business accessing. This is a major security concern.