Stopping remote management, shaking shells, shooting APIs

Once a device is infected with malware, or is shelled by a remote intruder, is it worth the effort to try and resolve the issue, or just burn everything it ever touched? A factory reset is frequently a go to suggestion, but if a user has the option it doesn't prevent immediate reinfection, nor clear internal bloat. Especially with sdks packed into app stores like Trojans, it's likely that even flashing a fresh os carries the same risk factor as individually being infected by download ar random. So the question is really three parts; how does one close reliably prevent external manipulation of a mobile device if the attacker is provided token access, or is running APIs to a device via java card? How does one regain control of an actively "managed" device once the UI is an emulated shell? How does one kill all remotes, listeners or beacons if legitimately gaining root control isn't an option?