One of the things you have to be aware of is false positives.
We use LookOut for work on our Android phones and an investigator got disabled for an attempted rootkit.
He panicked and wiped his device so we could not do forensics on it. (we had called him and told him not to use it as it may be compromised.) Lesson learned: Just tell him to bring it in next time. We suspected something fishy but then another user got the same warning the following week so we now think it was a false positive.