Most likely they are exploiting a security hole to quickly gain root access. Over the years a number of "one-click" root exploits have appeared for Android, so it's not unthinkable that they are rooting on the fly. Besides, most Android phones aren't particularly up-to-date, so in a lot of cases it's not like they would even need an undisclosed zero day exploit.