I think you're understimating the level of risk associated with people attempting to sideload Fortnite. People aren't necessarily intentionally seeking shady versions (but even if they were, I find this kind of victim-blaming counterproductive). They were doing things like searching "how to install Fortnite" on Google or Youtube and getting sent links to fake versions with malware loaded. [1]
How were non-sophisticated users supposed to figure out that the Epic link was the correct link to click among the thousands of search results? How many of the people wanting to play Fortnite for the first time even knew what Epic was?
> As long as the official download source is known to everybody
I guess my question is, is this problem really unique to sideloading, and if not, can it be addressed in the same ways we address other problems?
For example, does everyone know the official source of Facebook? If so, why, and if not, why is there not an epidemic of fake Facebook scams that steal login credentials? I know there are targeted phishing attacks, which is a separate issue, but I haven't heard of significant attacks from people who just didn't know the correct login page.
One way we do deal with this is with targeted blacklists of known-bad sites, particularly Google Safe-browsing. That's certainly a mechanism that could be employed for Android Malware—and I think it already is, actually.
Problems do happen—but I don't see anyone calling on Google to restrict Chrome to a whitelisted set of approved URLs. And I'd posit that gaining access to someone's Facebook account is no less invasive than gaining access to their phone.
Don't the overwhelming majority of people access Facebook via the app these days? So the official source of Facebook for those people is... the App Store or the Google Play Store.
> And I'd posit that gaining access to someone's Facebook account is no less invasive than gaining access to their phone.
I don't think so. Accessing someone's Facebook messages and photos is one thing, gaining access to their phone means gaining access to their email which means potential access to any account linked to that email. Given how many people use mobile banking these days, I'd say there's a lot more potential for damage if your phone is compromised.
How were non-sophisticated users supposed to figure out that the Epic link was the correct link to click among the thousands of search results? How many of the people wanting to play Fortnite for the first time even knew what Epic was?
> As long as the official download source is known to everybody
It's not, and that's the problem.
[1] https://blog.malwarebytes.com/cybercrime/2018/06/fake-fortni...