North Korea-linked threat actors have found a novel way to weaponize Google’s own security ecosystem, using it to wipe espionage data from victim phones remotely.
According to findings by Genians Security Center (GSC), the attackers leveraged the Android device-tracing and management service “Find Hub” to remotely wipe data on Android phones and tablets.
“While Find Hub is intended to safeguard Android devices, this is the first confirmed case in which a state-sponsored threat actor obtained remote control by compromising Google accounts, then used the service to perform location tracking and remote wipe,” GSC researchers said in a blog post. “This development demonstrates a realistic risk that the feature can be abused within APT campaigns.”
GSC has attributed these activities to the KONNI APT group, known to be associated with the Kimsuky or APT37 groups.
The campaign was further bolstered by social engineering via the popular Korean messenger KaKaoTalk, where victims were sent malicious apps disguised as psychological “stress-relief” programs.
From the lost phone feature to a wipe bomb
GSC found that the attackers compromised legitimate Google accounts to take full advantage of Find Hub’s remote-management functionality. Once logged in, they could track location and execute wipe commands on Android devices, effectively deleting personal data and disabling the device’s normal alert channels.
“A notable finding is that immediately after confirming through Find Hub’s location query that the victim was outside, the threat actor executed a remote reset command on the victim’s devices,” the researchers added. “The remote reset halted normal device operation, blocking notification and message alerts from messenger applications and effectively cutting off the account owner’s awareness channel, thereby delaying detection and response.”
By cutting the device off, the attacker creates a silent window for further propagation and control.
The blog explained that initial access was obtained through spear-phishing emails impersonating South Korea’s National Tax Service (NTS). Victims received an email with an attachment that, once executed, installed malicious scripts (Autolt-based) or dropped a RAT to steal Google credentials.
“To prevent the unauthorized abuse of remote wipe features through compromised Google accounts, service providers should review and implement real-time security verification measures, such as additional authentication processes that confirm the legitimate device owner,” researchers recommended.
The social engineering link
The threat continues beyond device wiping, with attackers distributing malware by compromising KakaoTalk accounts of trusted contacts.
GSC found that malicious files disguised as “stress-relief programs” were sent to close contacts via the messenger. “Among the victims was a professional psychological counselor who supports North Korean defector youths during resettlement by addressing psychological difficulties and providing services such as career guidance, educational counseling, and mentoring to help stabilize their well-being,” researchers added.
While one attack vector used device neutralization to disable alerts, the other launched the malware distribution via compromised chat accounts. GSC called this mix unprecedented among known state-sponsored APT actors and that it shows the attacker’s “tactical maturity and advanced evasion strategy”.
Reinforcing verification of files received via messenger platforms before opening and execution, and using clear warning prompts to help users avoid downloading or running malicious files, might help against this vector, the blog noted. The Genians findings, like the recent ClayRat and Badbox 2.0 campaigns, highlight a growing trend of attackers exploiting trusted apps and built-in services instead of relying on complex zero-day exploits.
No Responses