Global Spies Use ZipperDown and Android Zero-Days for 1-Click Email Client RCE and Account Takeover
Ddos 
The RedDrip team at QiAnXin Threat Intelligence Center has released a new report detailing a multi-year series of zero-day exploitation campaigns by Advanced Persistent Threat (APT) actors operating from Northeast Asia, targeting both desktop and Android environments in highly sophisticated espionage operations.
The report reveals that the attackers’ activity “extends far beyond the endpoint side”, highlighting that they have “captured multiple 0-day attacks targeting Android email clients, whose technical level has reached 1-click, and it is likely the attackers have already mastered 0-click capabilities similar to ‘Triangulation.’”
While only a few of these zero-days—affecting Internet Explorer, Firefox, Foxmail, and WPS Office—were used against government and enterprise targets, most attacks focused on individuals in and around the Korean Peninsula. The RedDrip team writes, “The majority of the 0-days were used to target North Korean individuals in the Northeast region and Chinese people in contact with them.”
These campaigns, the researchers note, represent “a higher dimension of threat intelligence” that they describe as espionage confrontations between two countries and three parties in the Northeast region.
One of the report’s most striking findings is the first known in-the-wild exploitation of the ZipperDown vulnerability—initially discovered by Pangu Lab in 2018. “From 2018 to the present, there have been no public reports showing that this vulnerability has been exploited in the wild by APT groups,” the RedDrip team notes. “The RedDrip team is the first security team in the world to disclose that the ZipperDown vulnerability has been exploited in the wild by APT groups.”
In this attack, adversaries send specially crafted emails containing malicious attachments to Android devices. When a target “clicks on the email on their phone, ZipperDown is triggered instantly, unpacking a carefully crafted DAT file and releasing malicious SO and APK files to overwrite the target application components.”
These payloads often masquerade as political news from the North Korean Rodong Sinmun newspaper to lure victims into interaction.
The RedDrip analysis details payload transitions over time:
- 2022–2023 Payloads: Attackers used a logic flaw in IMG image processing within an Android email app to deploy backdoors. The malicious SO file acted as a modified version of libttmplayer_lite.so, retaining its normal functionality while embedding downloader logic to fetch further commands from the command-and-control (C2) server.
- 2024–2025 Payloads: The weaponized module evolved into libpanglearmor.so, which “downloads the APK trojan from a remote server and loads it into memory.” The malware executes background routines via com.example.backservice.MainActivity, regularly “retriev[ing] commands from ‘/command’ and send[ing] the command results to /result,” while also “report[ing] the WIFI information connected to the device.”
Command capabilities include listing files, executing arbitrary processes, obtaining installed apps, initiating reverse shells, and exfiltrating data.
In 2024, RedDrip uncovered an additional code injection vulnerability in a popular Android email client. The exploit required only a single click to open a malicious email containing four crafted IMG tags that inserted JavaScript into the message body.
By abusing an undocumented internal API parameter called localfile, the attackers achieved arbitrary file reads, such as /data/data/…/databases/ paths, allowing theft of account tokens and configuration files.
RedDrip observed that “the attackers requested two files… After parsing the relevant data, they obtained the target account’s token,” and subsequently “the app’s XML configuration file, which contains the account’s configuration information, including various keys.”
This access enabled password-less account takeover: “The attackers can ultimately steal the user’s login status, operate the account without a password, and access all emails, contacts, files, and other sensitive data.”
RedDrip’s assessment underscores the geopolitical complexity behind these operations: “Operation South Star might also be an evidence collection activity under the MSMT cooperation framework,” hinting at state-to-state intelligence collaboration between allied actors.
The report concludes with a sobering warning about the escalation of mobile-based espionage: “After years of high-intensity confrontation, these discovered 0-day espionage activities are likely just the tip of the iceberg in national-level cyber warfare, but they are already close to the limit that current security vendors can reach.”
Donate