It appears the default LG keyboard and handwriting apps had problems that allowed for a hacker hanging out in a coffee shop (or just their $30 Raspberry Pi,) to play man in the middle and drop off their code in your phone due to LG’s messed up updating logic.
LG was using HTTP and not HTTPS for updates. That could potentially invite someone to play man in the middle and load code into the apps as an update to run with privileges later on.
While a long shot, with 20% of the Android population sporting LG phones that’s at least a couple thousand people getting their phones infected without much trouble.
LG’s rolling out a security update in their May patches, so make sure to grab them if you’re able.
Users of LG phones can go to settings / update, or if there’s no update available just not get on WiFi they don’t trust.
Alternately you can spend some money on a VPN so nobody can execute a man in the middle attack. I’d just suggest updating the phone and until then staying off of WiFi you don’t trust.