Can a virus, a skilled user, or a privileged app modify the Javascript in my Cordova hybrid app that is already installed on a user's Android or iOS? -

i'm wondering cordova's security app building. after app installed on user's device, can adversary or app/virus root privileges modify html and/or javascript sources stored in www folder of cordova app?

i know should not use eval in cordova app, if adversaries can modify javascript, can inflict same damage eval does.

i worried scenario following:

1. the user installs app.
2. an adversary has phone few minutes or time long enough change javascript in way can expose or send run-time information global variables.
3. the attacker adds javascript code sends session keys domain or email. or, if domain whitelisting used, attacker stores them in persistent storage s/he can later retrieve.

is realistic concern?