generateZipPath() constructs zip entry names for collected APKs using device controlled content from extractFileName(). Since extractFileName() does not reject traversal sequences, the resulting zip entry name can contain ../. AndroidQF itself does not extract the zip it creates, but any forensic tool that extracts the acquisition bundle without zip-slip protection could write files to attacker chosen paths.

A compromised device could inject path traversal sequences into the acquisition bundle's zip entry names. When a forensic analyst or forensic tooling extracts the bundle without entry name validation, files could be written outside the intended extraction directory.

This issue was identified during a security assessment conducted by 0xche.