I recently came across a site giving away good quality themes for free - but once downloaded it turned out that all the themes contained poorly concealed malware. Thankfully on this occasion my anti-virus picked it up.
What are the common signs that a theme might contain malware, are there any obvious or well known tricks that I should be aware of?
Since you're looking for free templates I assume you're not looking to spend extra, but mysites.guru (formerly myjoomla.com) has excellent security scanning.
The details of what you're looking for:
Now, a commercial template will have several supplemental php files, so not all additional php files are bad, of course.
The biggest "gotcha" though is the iframe.
Perhaps there is only one safe answer - only download direct from the original creator and preferably from a well known template house. Most of the commercial template devs do at least one free template. Do your research on the creator as much as the template ;)
I would always favour any free software (not just Joomla templates) that is available, and easily scrutinised, on Github.
As Hils rightly points out, never ever download a template from any other provider than the creator, it's almost guaranteed that you'll get a dose of digital pox that way.