This is basically a summary from an excellent write up on WPMU: Why you should never search for free WordPress themes in Google or anywhere else.
And if you have already have a couple of free themes on your WordPress directory, you can scan them using this Theme Authenticity Checker (TAC) plugin.
Below is a screenshot of the plugin in action scanning the themes on my WordPress installation:
It is certainly good practice to do a scan on a theme locally before deploying it to your live WordPress blog.
Since Google is not your trusted friend when it comes to finding free WordPress themes, where else can cheap people like us to go? Fortunately, the author of the post above, followed up with a post on good places to find free WordPress themes.
This blog and my personal blog are currently using one of the WooThemes theme (mentioned as one of good places to get free themes), I can vouch for their high quality themes and not to mentioned a host of themes functionalities and customizables. But most importantly these themes do not contain anything malicious.