Google Text-to-speech ( built-in app verifies signature of voice data downloaded to the public accessible external storage before it extraction to the internal storage. An attacker can overwrite a voice file right after verification and before extraction. Zip path-traversal vulnerability allows the attacker to overwrite any file in the app’s sandbox directory.