You don't need to read the code for a "flashlight" app if you look at the ACL and see it wants to access location and internet and the phone number list. After that you can look at the code a little and test it to see what it actually tries to do, much of which can be automated. We have enough experience automagically detecting the existence of malware these days that we can weed out a good percentage that way.
But that's a really obvious suspicious case, and is a case where the existing system works perfectly -- you'll get a bunch of negative comments from users about your weird permissions, be complained about, and be removed. Remember that you fundamentally can't use a permission you're not notifying the user of. I'm talking about what you'd do if you actually wanted to get away with it, which is build an app that already has some legitimate use for the permissions you're requesting. In those cases you'd need to do code review, and you'd have no idea you should be looking in the first place. This means you'd need to code review everything with any special permissions, and doing a passably thorough job of that is basically impossible. It's make the US Patent Office look fast.
A bug in the code is worth two in the documentation.