Getting this kind of behaviour past review is simple, and malevolent apps do happen.

Google has a clever technique for detecting them (after review) and it's good, but slow. It has a decent chance of detecting the app after a few attacks, and works by analysing which apps were installed on phones just before a factory reinstall.

Sure, the official App store can do that but that does not mean the user should not have the option to side load apps.

... except that they most definitely do still happen in spite of that.

But yes, they do tend to mean less obviously-just-malware apps.