Android Devices Under Siege: Remote Data-Wipe Malware Exploits Google’s Find Hub
A sophisticated cyberattack has emerged, targeting Android devices by exploiting Google’s Find Hub service to execute remote data wipes. This campaign, primarily affecting users in South Korea, marks the first documented instance where state-sponsored actors have weaponized a legitimate device protection feature to erase user data and disrupt device functionality.
Attack Overview
The attack initiates through social engineering tactics, with malicious files disguised as stress-relief programs distributed via the KakaoTalk messaging platform. Victims receive a ZIP archive named Stress Clear.zip, containing a Microsoft Installer (MSI) package. Upon execution, the installer operates silently in the background, displaying fake error messages about language pack compatibility to mask its activities.
Infection Mechanism and Persistence
Once installed, the malware establishes persistence using AutoIt scripts registered in Windows Task Scheduler, ensuring continuous operation even after system reboots. It maintains command-and-control communication with servers located in Germany, specifically at IP address 116.202.99.218 and the domain bp-analytics.de.
Attribution to State-Sponsored Actors
Security researchers have identified this campaign as part of the KONNI Advanced Persistent Threat (APT) operation, linked to North Korean state-sponsored groups Kimsuky and APT37, both operating under the 63 Research Center. The initial compromise occurred on September 5, 2025, when threat actors hijacked the KakaoTalk account of a South Korean psychological counselor specializing in support for North Korean defector youth. By leveraging this trusted relationship, attackers distributed malicious files to the counselor’s contacts, turning victims into unwitting distribution channels for further propagation.
Deployment of Remote Access Trojans
Following system compromise, the malware deploys multiple Remote Access Trojans (RATs), including RemcosRAT 7.0.4 Pro, QuasarRAT, and RftRAT. These payloads enable comprehensive system surveillance through webcam monitoring, keystroke logging, and credential harvesting. The threat actors specifically targeted Google account credentials to gain unauthorized access to Find Hub, Google’s device management service designed to locate and protect lost or stolen Android devices.
Exploitation of Google’s Find Hub
Once credentials were obtained, attackers executed remote factory reset commands on victims’ smartphones and tablets via Find Hub, permanently deleting personal data and rendering devices temporarily unusable. This exploitation of a legitimate security feature underscores the evolving tactics of cyber adversaries in leveraging trusted services for malicious purposes.
Technical Details of the Malware
The infection chain initiates when users execute the Stress Clear.msi file, which carries a fraudulent digital signature issued to Chengdu Hechenyingjia Mining Partnership Enterprise in China. This code-signing abuse provides an appearance of legitimacy that bypasses initial security checks.
During installation, the MSI package invokes an embedded batch script install.bat that copies AutoIt3.exe and the malicious script loKITr.au3 to the public Music folder at C:\Users\Public\Music. The install.bat script creates a scheduled task using a renamed copy of schtasks.exe called hwpviewer.exe to masquerade as a legitimate document viewer. This task executes the AutoIt script every minute, ensuring persistent malware execution even after system restarts. The script then deletes the original installation files to eliminate forensic traces.
Meanwhile, error.vbs displays a deceptive Korean-language error message claiming incompatibility between system and program language packs, convincing users that installation failed when malicious operations are actually completing successfully.
Implications and Recommendations
This campaign highlights the increasing sophistication of cyber threats, particularly those orchestrated by state-sponsored actors. The abuse of legitimate services like Google’s Find Hub for malicious purposes poses significant challenges for both users and security professionals.
To mitigate such risks, users are advised to:
– Exercise Caution with Unsolicited Files: Avoid opening files or clicking on links from unknown or untrusted sources, especially those received via messaging platforms.
– Verify Application Authenticity: Before installing any application, ensure it is obtained from official and reputable sources.
– Monitor Account Activity: Regularly review account activities for any unauthorized access or changes.
– Enable Two-Factor Authentication (2FA): Implementing 2FA adds an extra layer of security, making it more difficult for attackers to gain unauthorized access.
– Keep Software Updated: Regularly update operating systems and applications to patch known vulnerabilities.
By adopting these practices, users can enhance their security posture and reduce the likelihood of falling victim to such sophisticated attacks.
