North Korean spies turn Google’s Find Hub into remote-wipe weapon

November 11, 2025 TH Author

North Korean state-backed spies have found a new way to torch evidence of their own cyber-spying – by hijacking Google’s “Find Hub” service to remotely wipe Android phones belonging to their South Korean targets.

Researchers at South Korean cybersecurity firm Genians said the campaign, attributed to the long-running KONNI group, abused Google’s device management features to trigger factory resets on compromised smartphones and tablets. In several cases, victims’ devices were wiped without authorization, erasing messages, photos, and other data that could have revealed traces of the intrusion.

“The recently identified KONNI campaign is particularly notable for cases in which Google Android–based smartphones and tablet PCs in South Korea were remotely reset, resulting in the unauthorized deletion of personal data stored on the devices,” Genians wrote in its analysis.

The KONNI group, linked for years to North Korea’s intelligence apparatus, has a history of espionage operations aimed at Seoul’s government, military, and think tank sectors. Its latest campaign marks an escalation in its mobile-focused tactics, showing that Pyongyang’s cyber operators are increasingly adept at exploiting legitimate cloud services to hide their activity and control victims’ devices.

According to Genians, the attackers used stolen Google account credentials harvested through spear-phishing or fake login pages to access victims’ profiles on the Find My Device platform. The feature, which allows users to locate lost phones, lock them, or perform a factory reset, became an unwitting tool for sabotage. Once logged in, the hackers could trigger remote wipes, locking victims out of their own phones and destroying incriminating evidence of compromise.

The infection chain began with victims being approached via the popular South Korean messaging app KakaoTalk. Attackers sent files masquerading as benign content to victims, lured them into installing signed MSI attachments or ZIPs, and deployed AutoIT scripts that installed RATs such as RemcosRAT, QuasarRAT and RftRAT. These tools harvested Google and Naver account credentials, enabling attackers to manipulate cloud services and use Find My Device to pull the plug.

Immediately after the reset, the attackers reportedly exploited the victim’s still-logged-in KakaoTalk desktop app to send malware-laden files to the victim’s contacts – effectively turning each compromised account into a secondary infection vector. This rapid follow-on phase allowed the KONNI operators to spread their payloads before targets could regain access to their wiped devices.

Additional findings show the attackers used the GPS location feature in Find My Device to identify when a target was outside and less likely to react quickly. In one incident, the attacker executed the wipe command not just once but three times, further delaying device recovery and ensuring the victim remained locked out.

The tactic underscores a growing risk for anyone relying on “lost device” features that are tied to online identity systems. While the ability to remotely reset a stolen phone is designed as a security safeguard, it also offers attackers an easy way to destroy evidence or cause disruption once account credentials are stolen.

KONNI’s use of Android wiping follows years of more traditional espionage tactics, including Windows malware campaigns and phishing attacks designed to exfiltrate documents and credentials. The group has previously deployed custom backdoors disguised as North Korea policy papers or government forms, and has been observed overlapping infrastructure with other DPRK outfits, including Kimsuky.

Genians recommends that users of Find My Device tools enable multifactor or biometric authentication. For victims of KONNI’s latest stunt, however, the damage is already done. Once a factory reset is triggered through Google’s own service, there’s no undo button – just a blank phone and the tidy handiwork of a state hacker covering their tracks. ®