The application, called Smart Notice, is a kind of multifunctional widget, managing contacts, notifications, and weather and traffic alerts.
Once the code was on the phone, any information stored on its SD card, such as private images and chat logs, could be stolen.
"The root cause for the security problem is the fact that Smart Notice does not validate the data presented to the users," BugSec and Cynet wrote in a blog post on Thursday.
The researchers found a variety of ways to trigger their malicious code and carry out actions, such as opening a phishing site that tries to steal a person's Gmail credentials or prompt a person to download a remote access trojan.
"With a little tweak, we were able to load external scripts from a remote host and 'refresh' our code every few seconds, giving us the ability to have active command and control over the LG phone and send new payloads," the companies wrote.
It was also possible to conduct a denial-of-service attack that could only be stopped by doing a hard reset of the phone, they wrote.