You don't need to read the code for a "flashlight" app if you look at the ACL and see it wants to access location and internet and the phone number list. After that you can look at the code a little and test it to see what it actually tries to do, much of which can be automated. We have enough experience automagically detecting the existence of malware these days that we can weed out a good percentage that way.
But that's a really obvious suspicious case, and is a case where the existing system works perfectly -- you'll get a bunch of negative comments from users about your weird permissions, be complained about, and be removed. Remember that you fundamentally can't use a permission you're not notifying the user of. I'm talking about what you'd do if you actually wanted to get away with it, which is build an app that already has some legitimate use for the permissions you're requesting. In those cases you'd need to do code review, and you'd have no idea you should be looking in the first place. This means you'd need to code review everything with any special permissions, and doing a passably thorough job of that is basically impossible. It's make the US Patent Office look fast.
Nobody, at any marketplace service, is going to have time to do a code review of everything that gets submitted. Even console games -- which have a months-long and intensely painful approval process the likes of which you've never seen -- don't do code review. The very concept is ridiculous, there's way too much code and way too many people involved. You're going to have to trust your developers folks, and make use of the user-ratings tools if you don't.
Android's model of showing you what special access the software uses is about as good as I think you can get in the real world without learning to use a packet sniffer. RIM's ability to disable individual types of access is cool as well, but if the software needs it to function (or says it does) I'm not sure how the user is supposed to be in a position to use it intelligently. To avoid these sort of data harvesting problems, they'd have to somehow psychically know that the contact manager they're trying out uses that internet access for more than the occasional ad serve, and how would they know that?