Yes, these permissions are stated upfront. But the issue is that the entire address book is being uploaded without consent. That goes against expectations.
These very common (or pre-installed) apps all have both the READ_CONTACTS and INTERNET permissions:
• Google Docs
• Google Mail
• Google Maps
• Google Plus
• Google Voice Search
• Barcode Reader
I do not expect any of these to upload my entire address book, just like folk don't expect Path or WhatsApp to do so. But they could, at any time.
Boycotting anything with those two permissions just isn't a particularly feasible solution if you want your phone to be useful. So overall Android isn't much better off than iOS in this situation.