Re: Not seeing the problem here
Pray tell what constitutes a "proper review"? Do they have the source code to review? If not, how do they detect a malicious app?
I could easily write an app which has entirely innocuous behaviour. It reads your PIM, shows you your appointments, dials your numbers. Every day it also goes off to the web to retrieve an inspirational message to start your day. It works exactly as it should.
Then one day when it goes off for its inspirational message it receives an embedded pwn command and turns evil. It begins dialling a premium number from Guyana at 2am, searches your emails for credit card numbers and passwords, installs malware on any PCs it finds connected to the same wifi network as your phone and otherwise does everything to siphon your money and make your life miserable.
I'm quite certain I could hide this functionality sufficiently to evade an automated scan of the app.
That isn't to say a cash barrier doesn't have some effect on security. Just raising the bar would discourage hackers more than a $25 fee for example. But I doubt it would discourage determined or well financed attackers with particular targets in mind.