Re: What I find most worrying...
"Besides with man in the middle you'd need the encryption keys."
El Reg articles have described scenarios where MITM attacks are possible. It is usually not about breaking encryption - but about spoofing certificates. Although there have been suggestions that encryption keys can also be compromised by MITM.
You only need to inject the malware into an unencrypted page's HTML to attempt to install it on someone's device.