Many rooted phones have viruses. The phone owner gives the viruses its permissions on purpose. Actually, it is the virus that gives the phone owner root access and in many cases, keeps for itself, the root access for its own purposes.
For most of us, the only way we can get root access to our Android or iPhone, is to do business with unknown parties who give you something semi-illegal (technically legal for use on your own phone) for free and ask you to trust them. Generally speaking, mainstream businesses won’t help you to root your phone (give you complete Admin control). They don’t want to be responsible either criminally or civilly. So you download an executable from a relatively anonymous website and follow the instructions that come with that executable. Generally, the instructions include disabling all of the antivirus programs on your phone and pc, enabling un-trusted sources to install programs on to your phone, and plugging the phone in to your pc (via USB) and executing an exploit against the phone, from your PC. The result is that you gain root access to your phone, along with anything else the provider of the exploit wants to do to your phone.
The exchange is much like meeting a stranger in a dark alley and exchanging goods. He gives you something that has some legally questionable validity. You give him your bank account login name and password. He promises to only take out the agreed-upon amount from your bank account.
People do this. It is nice to have a rooted phone. But at what price? Once that exploit has been run, you’re on your own. The phone warranty is voided. The person who wrote the exploit has used root access to your phone to do what they intended to do. As long as you don’t figure out what they’ve done, you continue using your phone. It can wake up every night and go do the exploit writer’s bidding and you may never find out until the FBI knocks on your door.
If you’re lucky the exploit writer is just a geek who is honest and just wants the kudos that come with circumventing a lock-out built by Samsung or Apple. Either way, you have to trust a complete stranger. Unless you wrote the exploit yourself, you’ll never know if your phone is clean after that. Whatever the root user says, is the ultimate law of the phone.