North Korean spies turn Google’s Find Hub into remote-wipe weapon
Summary
South Korean researchers at Genians say the DPRK-linked KONNI espionage crew abused Google’s Find My Device (Find Hub) to remotely factory-reset Android phones and tablets belonging to targets in South Korea. Attackers harvested Google and Naver credentials via spear-phishing delivered over KakaoTalk, used signed MSI/ZIP lures and AutoIT scripts to install RATs (RemcosRAT, QuasarRAT, RftRAT), then triggered wipes through the cloud service to erase messages, photos and forensic evidence.
The campaign included timing wipes using device GPS to act when victims were away, repeating wipe commands to delay recovery, and using still-authenticated KakaoTalk desktop sessions to forward malware-laden files to contacts — turning victims into immediate secondary infection vectors. Genians recommends enabling multifactor or biometric authentication for Find My Device, but once a factory reset is performed through Google’s service the data is irrecoverable.
Key Points
- KONNI abused Google’s Find My Device to remotely wipe Android devices after stealing account credentials.
- Initial compromise used KakaoTalk lures with signed MSI/ZIP attachments and AutoIT scripts to deploy RATs (RemcosRAT, QuasarRAT, RftRAT).
- Harvested Google and Naver credentials allowed attackers to log into victims’ cloud accounts and execute factory resets.
- Attackers timed wipes by checking device GPS and sometimes executed multiple wipes to prolong lockout and hamper recovery.
- Logged-in KakaoTalk desktop sessions were abused to propagate malware to victims’ contacts before the target regained access.
- Find My Device’s remote-reset feature — meant as a security safeguard — can be exploited when account credentials are compromised.
- Mitigation advice: enable MFA/biometrics, monitor account activity, and treat messaging-app attachments from contacts with caution.
Why should I read this?
Short version: state hackers found a neat trick to erase their own footprints. If you use Android and cloud-based device recovery, you need to know how attackers can turn those safety features against you — and what to do about it. Read this so you don’t wake up to a blank phone and a spread malware outbreak.
Context and relevance
This incident highlights two converging trends: threat actors increasingly exploit legitimate cloud services to cover their tracks, and mobile platforms are now a primary vector in targeted espionage. KONNI’s campaign shows a mature adversary chaining social engineering, signed lures, commodity RATs and cloud account takeover to achieve rapid cleanup and lateral spread.
For organisations and individuals in APAC, defence, government and research sectors the story is particularly relevant — it demonstrates how messaging apps popular in a region (KakaoTalk) become the initial attack surface and how cloud identity is critical to device resilience. The wider takeaway: strengthen account security (MFA/biometrics), limit long-lived authenticated sessions on desktop apps, and treat device-recovery features as high-risk when credentials are at stake.