Advisories for Golang/Github.com/Mvt-Project/Androidqf package

generateZipPath() constructs zip entry names for collected APKs using device controlled content from extractFileName(). Since extractFileName() does not reject traversal sequences, the resulting zip entry name can contain ../. AndroidQF itself does not extract the zip it creates, but any forensic tool that extracts the acquisition bundle without zip-slip protection could write files to attacker chosen paths.

During device acquisition, getPathToLocalCopy() constructs local filesystem paths for downloaded APKs using a filename component extracted by extractFileName(). The extraction splits on ==/ and takes the remainder without sanitization. If a compromised device returns a crafted APK path containing traversal sequences, filepath.Join resolves them, allowing the file to be written outside the intended apks/ directory. Practical exploitability is limited because Android enforces strict package path formats under /data/app/ and does …