North Korean hackers are using Google’s Find Hub tool in a new wave of cyberattacks to track victims’ locations and remotely wipe their Android devices, according to a report by South Korean cybersecurity company Genians.
The attacks are mainly aimed at South Koreans and often begin through KakaoTalk, the country’s most widely used messaging app.
Genians linked this activity to the KONNI threat group, which shares infrastructure and targets with other North Korean hacker collectives, including Kimsuky and APT37. These groups have a long history of cyber espionage against South Korea’s government, education, and cryptocurrency sectors.
The hackers send spear-phishing messages that appear to come from official institutions such as the National Tax Service or the police. The emails contain malicious attachments—usually MSI files or ZIP archives—that appear legitimate. When opened, these files silently install malware that establishes persistence on the computer and downloads additional components.
Once the system is compromised, the malware retrieves tools like RemcosRAT, QuasarRAT, and RftRAT, which enable remote access, keylogging, and credential theft. The attackers then use stolen Google and Naver account credentials to log into victims’ accounts, change security settings, and erase traces of their intrusion.
Using the stolen credentials, the hackers access Google Find Hub—Android’s built-in “Find My Device” feature—to pinpoint the location of victims’ phones and perform a remote factory reset. This not only deletes all stored data but also disconnects victims from their KakaoTalk sessions. The attackers then take over the compromised KakaoTalk accounts to spread malicious files to the victims’ contacts.
In one case analyzed by Genians, a counselor who worked with North Korean defector students had their KakaoTalk account hijacked. The attacker sent a malicious “stress relief program” file to a student and later used Find Hub to remotely wipe the counselor’s phone multiple times, making recovery impossible.
Another similar incident was observed days later, suggesting the campaign is ongoing. Experts recommend enabling multi-factor authentication on Google accounts, keeping recovery options updated, and verifying the sender before opening files received via messaging apps.
Google responded to the report, confirming that the attacks did not exploit any security flaw in Android or Find Hub. Instead, they relied on stolen credentials from infected computers to misuse legitimate account functions.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Google urged users to enable two-step verification or passkeys and advised high-risk individuals to enroll in its Advanced Protection Program for stronger security.
