At least on iOS, you can (out of the box) deny specific permissions to apps.
Ah, but dialling isn't one of them - instead, iOS always requires user permission for a call precisely because abuse gets picked up too late (it's a second layer of security if the app screening process didn't catch it). There are couple of things like that in iOS, you can also not intercept an incoming SMS unlike in Android. The latter is a bit of a shame because it makes encrypted SMS like the stuff from Whispersys impossible.
However, I wonder if this may be the cause of the latest iOS update to 8.1.3 - most of the CVEs were about exceeding bounds to potentially execute malicious code.
I don't quite buy this, though - you must be rather deep into an app's code to make it do something COMPLETELY different in a controlled way via an inserted ad, that's an awful lot of barriers to overcome just to clock up some premium rate profit. If you're that talented I'm sure there are more interesting targets out there. Something grinds here (sorry).