North Korean hackers exploit Google’s safety tools for remote wipe
North Korean threat actors are exploiting Google’s “Find Hub” service to remotely wipe data from Android devices, effectively turning a security feature into a weapon for espionage. This marks the first confirmed instance of a state-sponsored group compromising Google accounts to leverage Find Hub for location tracking and remote wiping. The attackers, attributed to the KONNI APT group (associated with Kimsuky/APT37), are using social engineering tactics via KakaoTalk to further spread malware.
The attackers compromise legitimate Google accounts to gain full control of Find Hub’s remote management capabilities. Once logged in, they can track device locations and execute wipe commands, deleting personal data and disabling device alerts. Researchers noted that immediately after confirming a victim was away from their device via Find Hub’s location query, the attacker initiated a remote reset, blocking notifications and messages, and delaying detection. Initial access is achieved through spear-phishing emails impersonating South Korea’s National Tax Service (NTS), which install malicious scripts or a Remote Access Trojan (RAT) to steal Google credentials.
Beyond device wiping, the attackers distribute malware by compromising KakaoTalk accounts of trusted contacts, sending malicious files disguised as “stress-relief programs.” One victim was a counselor supporting North Korean defectors, highlighting the targeted nature of the attacks. This combination of device neutralization to silence alerts and malware distribution via compromised chat accounts demonstrates the attacker’s tactical maturity and advanced evasion strategies.
To mitigate these threats, service providers should implement real-time security verification measures, such as additional authentication processes, to confirm the legitimate device owner before allowing remote wipe actions. Users should also reinforce verification of files received via messenger platforms and heed clear warning prompts to avoid downloading or running malicious files.
The Genians Security Center (GSC) findings, along with recent ClayRat and Badbox 2.0 campaigns, underscore a trend of attackers exploiting trusted apps and built-in services, rather than relying on complex zero-day exploits. This shift necessitates a focus on securing accounts and verifying the authenticity of communications, even within trusted platforms.
To read the complete article see: CSO Article