Rant: We’re living in a time where curl | bash has become normalized. This generation’s security practices are fucked.
Back to the topic: I see it as a problem of not enough education and too much trust. People are not taught how to verify the authenticity and legitimacy of software, and put too much trust in claims of authority. It’s not just a consumer problem either, look at the CrowdStrike incident: people in the industry knew it was shit, but the decision makers kept trusting it because they are a big name. How did they become a big name? The same way a lot of other companies do, by bribing the early decision makers into using them.
Back to consumers: it doesn’t help that there’s no first class sandboxing features. Both Android and iOS rely heavily on app store controls. Sure, there are some system controls, but the user has barely any agency over them.