Comment Re:welcome to the big time (Score 2) 193
No, it's the user who is getting exploited. And that's the point: the average end user (and in the case of more advanced malware, the average technical user, or in fact anyone who hasn't been able to audit the application source code) is vulnerable to this sort of malware.
Using an app store plus code-signing enables a trusted third party to audit the code, and sign it as approved to run on the device. In the case of appliances like phones, tablets, etc., expecting your typical non-technical user to audit source code for every app they install is unrealistic.
In the case of loading an app onto an android device from a third party, it's a crap shoot. You are basically guessing that the particular installer you are running is not a trojan. You may be basing that on app reputation, etc. but have no real clue whether or not it has been time-bombed, for example. You're guessing, flying blind.
It's pure luck and lack of true malicious developers on the platform that the android malware situation right now is not a LOT worse. And it's nothing to do with exploiting the JVM, kernel or whatever - it's purely due to the end users of consumer devices not being interested in becoming security experts. They are (rightly so) not interested in it.
Signed-code only, whilst being restrictive in what you can run takes that burden off the user. If the user truly wants to run something that the vendor will not sign, in the case of iOS it is simple enough to get a developer subscription and compile it from source yourself.