We spend a lot of time talking about trust in the security world. "Don't download software from an untrusted source", "don't open emails from people you don't trust", "Don't plug untrusted usb devices into your computer." Then we get very condescending when people fail to obey these simple tenants of trust. What do we do when the trust betrays us though. These two most recent examples show cases where the users had every right to trust the infection vector. They downloaded software directly from energizer's site, why wouldn't it be safe? I just bought this phone, it's brand new. How could it possibly have malware on it? The phone example would be exactly the same as if you went to a store like staples, bought a thumb drive. Opened that horrid plastic bubble packaging, insert it in your computer, and then your antivirus starts setting off alarms like a 1940's air raid siren. The device was brand new, had not been tampered with in the store as far as you could tell, and came from a trusted source.
So now what if we take our hypothetical situation one step further. What if the malware isn't recognized by your AV. Now we have an infected computer. Your friend brings his usb drive over a couple days later to copy some files. It's his usb drive, he knows where it's been. He knows your a smart guy, so your computer should be safe. He takes the infected drive home, and now infects his machine. The cycle is obvious of course. Yes, of course these hypothetical people should have autorun turned off, we all know that by now, and so this example is not perfect. The issue is the trust factor though. In these situations, there is no "blame it on the user". They had every reason to trust these sources. It seems like the only answer is "don't trust anyone or anything". I'd love to see people's thoughts on this.