1. First collect all the Apps installed on the Android Device in question.
2. Examine the App listing #1 above for any malicious Apps.
3. Verify if Magdisk's (or similar software) screens to see if there is intended root access on the device by the device owner. "NOT ROOTED" in the Magdisk screen below indicateds the device was not intentionally Rooted.
<Please see attached file for image>
3. Remove any unintended malicious Apps for example in his case "Lucky Patcher"