Apps from the Windows Store run in a highly restricted sandbox and have to be approved before they can be listed. So why was this app able to automatically download an executable file that multiple virus scanners identified as potentially dangerous?
One of the biggest selling points of the Windows Store is its promise of safety. Apps have to be approved to make it into the store, and the sandbox in which apps run should prevent them from causing any damage or installing malware or unwanted software.
That doesn't mean developers can't try shady tricks. But their options are extremely limited, which is why I was surprised to find an app in the Windows Store last week that actually succeeded in downloading adware to a Windows 10 PC.
An unsophisticated user might have been fooled into going one step further and running that software, resulting in the installation of an annoying piece of adware and potentially much worse...
Source: How was this Windows Store app able to download adware to a Windows 10 PC? | ZDNet
The author got a little overexcited. For starters it is PUP, secondly, it merely opened a link, the browser downloaded it, so no sandbox was breached. I guess, that the proclaimed update downloaded some script, which caused a link to open.
The problem is, that it is a download app. The app itself and its content are sandboxed, but not, what it downloads.
Just like a browser, eg Chrome, it is sandboxed, but a user can download any malware and run it, sandbox does not apply.
Quote