Why is it so damned easy for malware to get root access, and so damned annoying for me to get it?
In this case, the phone must already be rooted, and the user must be willing to grant root permission to the application. In other words, this is essentially a surveillance app for your spouse/girlfriend/boyfriend/children, where you must have physical access to their device for you to be able to install the trojan.
After all, why else would the AVG vendor not give us the name of the app?? And why else does the AVG vendor vaguely says that the app "applies for the root permission" when it goes down to the absolute nitty-gritty details for everything else.
In that context, it makes sense that 10,000 people downloaded/installed this app from some Chinese app store. Finding jealous people that want to spy on their significant other is easy enough (especially around Valentines day, which was only four days before this article was written). And rooting a phone in China is easy also, even for people that wouldn't know how to do it themselves, there is an entire corner shop service industry that's dedicated to helping Chinese consumers getting rid of regional locks, copy-write restrictions, software locks on pirated software, etc.