Same thing applies on smartphones too. If an app requests a lot of permissions that do not look like a legit part of the service, stay the hell away from it. A couple of examples:
* Facebook Messenger does not need access to my location and call logs.
* The main Facebook app does not need access to my SMS.
* Signal does not need access to my calendar.
Edit: a couple more examples:
* WhatsApp does not need to read my Google services configurations.
* Viber does not need access to my Bluetooth.
* Snapchat does not need access to my audio settings.
* Instagram does not need to run at startup.
* Microsoft Word does not need to have the ability to set an alarm.