Re: VLC + WinRar
They don't have to sneak it into a repository or app store. The trap the download request and substitute their trojanized version mid-flight. I'm getting the sense that immediately checking the hash after a download but before an install is the only way around this but (1) people have not a clue on what to do let alone how to do that; (2) while extremely difficult for an individual, hash collisions can be engineered. Not at all easy, but guess what? Far easier for a nation-state than for most corporates, even an enterprise.
Given MITM attacks nation-states are also known for using, this is an utter mess. Normally, I'd say the regular people don't need to worry about this since how many nation-states target individuals. However, this is the exact situation where being a member of the media, involvement in what are usually considered innocuous civil rights groups, or being related to or friends with either sorts, get you targeted for arrest, prison sentences, and/or death. I've been following civil rights news for decades now and that all happens on a depressingly regular basis.
The one difference between the great powers and smaller nation-states is that the "little guys" keep it personal. Usually. Piss off my government, it's death from above and who the fuck cares who you are with. The "right" IMEI number is good enough for that.
Pardon me while I go throw up.