Re: "and assume root privilege"
"and user rooted devices will block unknown apps by default"
you sure it's not the opposite (or were you being snarky)?
A normal "non-rooted" device blocks un-blessed applications by default, requiring you to jump through a hoop or two to install the potentially "dirty" ones. Some older 'droid versions were actually LESS convenient for doing this, at least on the versions I've worked with [I've had to do it for development stuff a while back, put APK up someplace, have people install it, etc.]. Newer ones have different hoops when you download, but just an extra "yes I want to do this" step rather than changing the default setting to allow 'foreign' APKs or whatever. It's been a while since I did it last... [online instructions if I forget]
But yeah any downloaded APK is a potential disaster for the person installing. The idea that a factory reset does NOT get rid of this particular malware is disturbing. Not sure how to EASILY do a complete re-flash though. It sounds like it would require more than an average tech... [maybe time to research doing that - I never went so far as to figure out how to do a complete re-flash on a 'droid device]
maybe future 'droid devices will need to ship with actual ROM (and not a potentially writable image) for a PROPER factory reset.
/me considers investigating how a debug USB cable might make this a little easier to deal with...
(I obviously STILL have a lot to learn about these things)
and yet - the absolute LAST thing we should want to see is an Apple-like (paywall and/or censor-wall) *STRANGLEHOLD* on what you can or cannot install... _ESPECIALLY_ for independent developers!