{"id":5750,"date":"2025-11-11T12:06:40","date_gmt":"2025-11-11T12:06:40","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5750"},"modified":"2025-11-11T12:06:40","modified_gmt":"2025-11-11T12:06:40","slug":"north-korean-hackers-exploit-googles-safety-tools-for-remote-wipe","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5750","title":{"rendered":"North Korean hackers exploit Google\u2019s safety tools for remote wipe"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>North Korea-linked threat actors have found a novel way to weaponize Google\u2019s own security ecosystem, using it to wipe espionage data from victim phones remotely.<\/p>\n<p>According to findings by Genians Security Center (GSC), the attackers leveraged the Android device-tracing and management service \u201cFind Hub\u201d to remotely wipe data on Android phones and tablets.<\/p>\n<p>\u201cWhile Find Hub is intended to safeguard Android devices, this is the first confirmed case in which a state-sponsored threat actor obtained remote control by compromising Google accounts, then used the service to perform location tracking and remote wipe,\u201d GSC researchers said in a blog post. \u201cThis development demonstrates a realistic risk that the feature can be abused within APT campaigns.\u201d<\/p>\n<p>GSC has attributed these activities to the KONNI APT group, known to be associated with the <a href=\"https:\/\/www.csoonline.com\/article\/2066558\/north-korean-kimsuky-groups-attack-chain-blends-with-legitimate-traffic.html\">Kimsuky<\/a> or APT37 groups.<\/p>\n<p>The campaign was further bolstered by social engineering via the popular Korean messenger KaKaoTalk, where victims were sent malicious apps disguised as psychological \u201cstress-relief\u201d programs.<\/p>\n<h2 class=\"wp-block-heading\">From the lost phone feature to a wipe bomb<\/h2>\n<p>GSC found that the attackers compromised legitimate Google accounts to take full advantage of Find Hub\u2019s remote-management functionality. Once logged in, they could track location and execute wipe commands on Android devices, effectively deleting personal data and disabling the device\u2019s normal alert channels.<\/p>\n<p>\u201cA notable finding is that immediately after confirming through Find Hub\u2019s location query that the victim was outside, the threat actor executed a remote reset command on the victim\u2019s devices,\u201d the researchers added. \u201cThe remote reset halted normal device operation, blocking notification and message alerts from messenger applications and effectively cutting off the account owner\u2019s awareness channel, thereby delaying detection and response.\u201d<\/p>\n<p>By cutting the device off, the attacker creates a silent window for further propagation and control.<\/p>\n<p>The blog <a href=\"https:\/\/www.genians.co.kr\/en\/blog\/threat_intelligence\/android\" target=\"_blank\" rel=\"noopener\">explained<\/a> that initial access was obtained through spear-phishing emails impersonating South Korea\u2019s National Tax Service (NTS). Victims received an email with an attachment that, once executed, installed malicious scripts (Autolt-based) or dropped a RAT to steal Google credentials.<\/p>\n<p>\u201cTo prevent the unauthorized abuse of remote wipe features through compromised Google accounts, service providers should review and implement real-time security verification measures, such as additional authentication processes that confirm the legitimate device owner,\u201d researchers recommended.<\/p>\n<h2 class=\"wp-block-heading\">The social engineering link<\/h2>\n<p>The threat continues beyond device wiping, with attackers distributing malware by compromising <a href=\"https:\/\/www.csoonline.com\/article\/538482\/data-protection-android-messaging-malware-targets-tibetan-activists.html\">KakaoTalk<\/a> accounts of trusted contacts.<\/p>\n<p>GSC found that malicious files disguised as \u201cstress-relief programs\u201d were sent to close contacts via the messenger. \u201cAmong the victims was a professional psychological counselor who supports North Korean defector youths during resettlement by addressing psychological difficulties and providing services such as career guidance, educational counseling, and mentoring to help stabilize their well-being,\u201d researchers added.<\/p>\n<p>While one attack vector used device neutralization to disable alerts, the other launched the malware distribution via compromised chat accounts. GSC called this mix unprecedented among known state-sponsored APT actors and that it shows the attacker\u2019s \u201ctactical maturity and advanced evasion strategy\u201d.<\/p>\n<p>Reinforcing verification of files received via messenger platforms before opening and execution, and using clear warning prompts to help users avoid downloading or running malicious files, might help against this vector, the blog noted. The Genians findings, like the recent <a href=\"https:\/\/www.csoonline.com\/article\/4070281\/clayrat-spyware-turns-phones-into-distribution-hubs-via-sms-and-telegram.html\">ClayRat<\/a> and <a href=\"https:\/\/www.csoonline.com\/article\/3840157\/badbox-android-botnet-disrupted-through-coordinated-threat-hunting.html\">Badbox 2.0<\/a> campaigns, highlight a growing trend of attackers exploiting trusted apps and built-in services instead of relying on complex zero-day exploits.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>North Korea-linked threat actors have found a novel way to weaponize Google\u2019s own security ecosystem, using it to wipe espionage data from victim phones remotely. According to findings by Genians Security Center (GSC), the attackers leveraged the Android device-tracing and management service \u201cFind Hub\u201d to remotely wipe data on Android phones and tablets. \u201cWhile Find [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5751,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5750","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5750"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5750"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5750\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5751"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5750"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5750"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5750"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}