People really pay too little attention to this attack avenue.

It's both extremely convenient and very unlikely to be detected; especially given that most current systems are associated to an account.

I'd be surprised if it's not widely used by law enforcement, when it's not possible to hack a device in more obvious ways.

Please check theupdateframework.io if you have a say in an update system.