Certificateless aggregate signature (CLAS) scheme has been widely adopted in resource-constrained wireless mobile networks, because it not only solves the problems of the certificate management and private key escrow, but also achieves batch validation. In this paper, we first analyze the security for Kang et al.’s CLAS scheme which was claimed to be secure against various types of attacks. Unfortunately, we find that their scheme can not resist malicious KGC’s attack and present a concrete attack method. To enhance security, we propose a new certificateless aggregate signature scheme. Furthermore, we formally prove the security of the scheme in the random oracle model. Finally, we evaluate the performance of our proposed scheme. Compared with the original scheme, our new scheme fixes the security flaw, while reducing the total computational costs, so that is more practical and adoptable in real life.