Issue 1: Samsung uses a white-label version of the popular SwiftKey 3rd-party keyboard app as the default keyboard in recent Android devices. In order to do that, it repackages it and installs it into the system partition. This gives the keyboard app “system” privileges.
Issue 2: Android's ZIP library is vulnerable to a directory traversal vulnerability, similar to what described at CERT's Secure Coding Guidelines IDS04-J. Many researchers believe that other platforms, like iOS, suffer from the same issue, but I have not personally confirmed this. How does this work? An attacker constructs a malicious zip file in which the name of an included file contains a directory traversal. The extraction code follows the traversal and places the file in a directory that the app developer wouldn't expect.
Issue 3: SwiftKey downloads certain zip files over HTTP. These are typically files that contain extra languages. It must be noted that these are application assets, not executable code. Just as most apps download image files over HTTP, this app downloads some ZIP files with text in them. There is no vulnerable update mechanism in place. SwiftKey would probably not find a flaw during code audits, penetration tests or design reviews because downloading an asset over HTTP is not normally a flaw.
The combination of all three issues allowed the researcher to achieve remote code execution. He did this by performing a man-in-the-middle attack on the cleartext traffic [due to Issue 3] and replacing the downloaded ZIP with a malicious one. Upon extraction, this new ZIP overwrote an executable file [due to Issue 2], enabling the execution of malicious code included in the ZIP. The location of the overwritten file had filesystem permissions that prevented access to normal users, but this was possible due to the keyboard app having system privileges [Issue 1].