A new cyber-attack has been observed exploiting Google’s “Find Hub” service to remotely wipe data from Android devices.
The operation, uncovered by the Genians Security Center (GSC), is linked to the long-running KONNI advanced persistent threat (APT) campaign, associated with North Korea’s Kimsuky and APT37 groups.
In this attack, malicious files disguised as stress-relief programs were distributed through South Korea’s KakaoTalk messenger. The perpetrators impersonated psychological counselors and human rights activists supporting North Korean defectors.
Once victims executed the infected files, attackers obtained Google account credentials and triggered the Find Hub remote-wipe function to delete all data on targeted smartphones and tablets.
The GSC report marks the first confirmed case of a state-sponsored group abusing Google’s legitimate device management feature to carry out destructive operations.
“This development demonstrates a realistic risk that the feature can be abused within APT campaigns,” GSC said in its analysis.
How the Attack Unfolded
The campaign began when attackers used compromised KakaoTalk accounts to distribute an MSI installer disguised as a stress-relief app to trusted contacts.
When victims ran Stress Clear.msi, a normal installation window appeared while an AutoIt loader silently installed in the background.
The loader established persistence by copying executables to the public Music folder, registering a scheduled task and connecting to command-and-control (C2) servers to fetch additional modules.
These often included remote-access Trojans such as RemcosRAT, QuasarRAT and RftRAT, delivered either from the C2 infrastructure or through the compromised PC session.
Using stolen credentials, the attackers accessed victims’ Google accounts to track their real-time location via Find Hub. When a target was confirmed to be away, they triggered remote reset commands that wiped Android phones and tablets, cutting off alerts and delaying discovery.
With mobile notifications disabled, the actors then exploited active KakaoTalk PC sessions to spread further malicious files, expanding their reach through trusted social connections.
The installer’s valid-looking digital signature helped it bypass suspicion, and its setup routine deleted traces to further hinder analysis.
AutoIt scripts disguised as error dialogs ran on a loop, maintaining contact with C2 servers across multiple countries to receive new payloads.
Read more on state-sponsored attacks: State-Sponsored Hackers Behind Majority of Vulnerability Exploits
Recommended Defenses
To defend against this threat, GSC recommended strengthening endpoint detection and response (EDR) monitoring and implementing behavior-based anomaly detection. Additional advice includes:
-
Enabling two-factor authentication for Google accounts
-
Adding verification steps for remote wipe requests
-
Verifying the origin of messenger files before downloading
The security researchers also warned that such trust-based attacks are becoming more advanced, combining human deception with technical precision.
Strengthening authentication and real-time monitoring, they noted, remains the best defense against these evolving APT threats.
Image credit: El editorial / Shutterstock.com