Playing out in the sidelines of the Cambridge Analytica scandal was the discovery that Facebook had been collecting metadata on the calls and SMS conversations of many of the users of its Android app. Whatever your view on this practice, the fact that it is carried out by a single app does at least make it somewhat transparent to anyone analysing the app.
It is more complicated when apps use a concept called ‘app collusion’, where two (or more) apps installed on the same device work together to collect and extract data from the device. Using the combined efforts and permissions of multiple apps makes the exfiltration of data less easy to detect, either by privacy-conscious users or by reverse engineering, which often looks at apps individually.

Source: Virus Bulletin :: VB2016 paper: Wild Android collusions