The "HummingBad" malware is in the news right now, and not in a good way. In researching the topic, I found this report from CheckPoint. Here is a quote describing HummingBad:
HummingBad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and enables additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
Can a malware app somehow find its way around the Android "sandbox" architecture to infect a phone? Or is the spread of this malware restricted to customers who buy rooted phones?
It appears to be able to attack rooted devices directly, but also has several "Plan B" attack methods as well. For non-rooted devices, it relies on tricking the user into approving the installation.
Here is the link to CheckPoint's recent article on HummingBad: http://blog.checkpoint.com/2016/07/01/from-hummingbad-to-worse-new-in-depth-details-and-analysis-of-the-hummingbad-andriod-malware-campaign/
and here is a link to their 24-page report: http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf