Information

Google Text-to-speech (com.google.android.tts) built-in app verifies signature of voice data downloaded to the public accessible external storage before it extraction to the internal storage. An attacker can overwrite a voice file right after verification and before extraction. Zip path-traversal vulnerability allows the attacker to overwrite any file in the app’s sandbox directory.



References:
https://research.checkpoint.com/androids-man-in-the-disk/