A path traversal vulnerability was found in the WifiHs20UtilityService. This service is running on a Samsung S6 Edge device, and may be present on other Samsung device models.

WifiHs20UtilityService reads any files placed in /sdcard/Download/cred.zip,
and unzips this file into /data/bundle. Directory traversal  in the path of the zipped contents allows an attacker to write a controlled file to an arbitrary path as the system user. 

We have triggered this issue via automatic downloads in Chrome, i.e. the file write vulnerability can be triggered by browsing to a website without any user interaction (a drive by attack model).

This issue was tested on a SM-G925V device running build number LRX22G.G925VVRU1AOE2. 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.