Not if Google itself churns out applications requesting the full shebang of permissions without any obvious reason. I mean, I can understand that e.g. Maps might want to read your location. But why on earth would it need an access to your call history or camera?

Regarding the case being discussed, sorry if I did not express myself clearly enough. I am not saying that every user application can compromise your identity (well, it can on Sailfish, but not on Android). I am saying that users want to run this fartapp, play this game or whatever and so they grant it whatever permissions it asks. Then, once installed, the application can do whatever it pleases with your sensitive data.

How is QuadRooter different? It also needs you to install something. As you correctly point out, it could potentially grant itself permissions not advertised at the time of installation, BUT the point is, you still need to install it first. So the would be attacker needs to make it look attractive enough to lure the users into installing it. This is where the hard work is: making the app attractive. Not exploiting the vulnerability. If the app looks attractive enough, users will give it whatever permission it wants. They mostly treat the warning box as a nuisance that stands in the way anyway and just click it through. To that class of users (i.e. about 99% of them), QuadRooter poses no additional risk than what they expose themselves willingly every day already.