WPS office has some dark patterns now. When a client sends a file to one of our employees, if they have WPS office on their phone (default on Huawei and Xiaomi phones and nobody ever changes defaults) they don't actually send the file but they send a link.
The link opens the file in a web preview and there are two prominent "download" buttons. Both are fake buttons that don't actually download the file but is an exe that will install WPS office in background without any user interaction.
Employees can distinguish a phishing or malware emails, but still I found WPS office installed on too many computers: this is unacceptable.
For installing it doesn't require elevated permissions, it can install with the lowest user level, but of course for uninstall it requires admin...
There's a way to forbid installing this malware? Maybe like a group policy that forces microsoft defender to always treat any files signed by "zhuhai kingston" as malware