The certificate does not need to be signed by a certificate authority: it is perfectly allowable, and typical, for Android applications to use self-signed certificates.
Is it possible for rogue apps to be installed silently (maybe from visiting websites, etc) on an android phone without the users consent? I’m just thinking that maybe CMS is playing catchup like your windows antivirus software and should rely on a more proactive solution. Maybe Android offers something similar that I’m not aware of.