>if the OS won't let the user install the malware, that's the end of the line.

except there's no definitive, 100% foolproof way to identify something as malware v. not-malware. If you put a bunch of dialogs in front of something, the site will just include a for-dummies illustration of what to click to allow the install. This will especially be the case if doing so is a prerequisite for receiving the new emoji pack, or whatever else it is that the people have been promised on the other side of those clicks.

We've been through this song and dance enough times that it's not a question of whether this will happen or whether users will fall for it. It's clear that it will and they will. Users do not read dialog boxes, they interpret them as noise and click through them. Operating systems can only protect the user from themselves up to a certain point, at least while retaining the ability to install third-party software.

My mom's computer(s) have been running Linux for probably 10 years now. This has kept her reasonably safe (especially as contrasted with my dad, who insists on Windows), but one time I went over to find some PDF injector-thing installed as a Chrome extension. From her POV, this "just happened".

While using a less-targeted platform helps a lot, online malfeasance is not a platform-specific problem. Pretending otherwise is kidding ourselves. Vigilance is always needed.