Backup program allows root access to LG smartphones
At least 40 LG Android smartphones are vulnerable as a result of security vulnerabilities in the pre-installed backup program Sprite Backup. Crafted backups can be used to execute commands as a root user, apparently without the user's knowledge – that at least is the suggestion in an advisory, which states that this is possible "under specific circumstances". An exploit (CVE-2013-3685) is already available on GitHub.
The backup program, produced by Sprite Software, comes in two parts. The user interface is provided by the "backup" app. It interacts with the "spritebud" daemon, which has root access. Spritebud can be controlled via Unix sockets. If a crafted backup file is fed into backup, it will be restored by spritebud. This results in a race condition, which can be exploited to inject a script into the backup daemon. This is then executed with root privileges and installs the tool "su".
The problem affects spritebud 1.3.24, backup 2.5.4105 and probably other versions. Exploit author jcase says he has informed LG, Google and Sprite Software of the security vulnerabilities. He also notes that LG took about 13 days before taking note of his report. A patch is reported to be in the pipeline.