In order to make your app persist you'll need to have a rooted device and be able to install it to the system partition. Once it's on there you can uninstall the updates, since they are saved along side non-system apps, but it's not as cut and dry to uninstall it from the system.
I know some of them will also save a little bit of data on the system partition just in case the devices is factory reset, but there are also ways to get the package manager to leave behind your saved data in the event that it is just uninstalled.
Another option would be to register it as a device administrator. Once you do that they will be unable to uninstall it unless they manually remove it's admin status.
Here it looks like they're using root as well as other methods. Short of making some crazy elaborate service, which it appears they may have, there is no legitimate way to do this any other way.
Taking advantage of root is almost standard practice for AV/security apps like this, without it they don't have any real authority over any other apps so they're very limited. I think the SuperUser permission isn't shown unless you have it installed either, so many people are still unaware it's an option.
