They have shown how a software attack could cause a smartphone to eavesdrop on a meeting or track its owner's location.
Unlike viruses, rootkits attack operating systems and can be detected only from outside a corrupted operating system with specialised tools.
"We are showing that people with general computer proficiency can create rootkit malware for smartphones. The next step is to work on defences," said professor of computer science Liviu Iftode.
The proof-of-concept methodology shows that all the features of a smartphone, including its microphone and global positioning system, could be controlled by a hacker, said Richard Kirk, European director at security firm Fortify Software.
This means developers of applications for smartphones must embrace the principles of secure code development to prevent potentially serious hacking attacks, he said.
"A hacked smartphone can be used for all manner of hacking purposes, including data theft, botnet swarming, and distributed denial of service attacks," said Kirk.
He said rootkits could cause havoc on the internet through smartphones, unless developers switch to the secure coding practices that eliminated the PC rootkit threat in the early 2000s.