Zip4j through 2.11.2, as used in Threema and other products, does not always check the MAC when decrypting a ZIP archive.
https://threema.ch/en/blog/posts/news-alleged-weaknesses-statement
https://news.ycombinator.com/item?id=34316206
https://github.com/srikanth-lingala/zip4j/releases
https://github.com/srikanth-lingala/zip4j/issues/485