There is malware that jumps VM's and fu*&ing air-gaps... This ain't $h1t.
Charles 9 is correct. It will use an exploit, usually dirtycow, to temp root for that instance only. It will lock up the device after it does its bidding via kernel panic or OOM event forcing the user to restart the device, thereby effectivly erasing the root yet leaving the code nestled between your /system files and your /data files... Both need root to write to. Anyway that is what I heard from SWIM....
Biting the hand that feeds IT
