North Korean spies turn Google's Find Hub into remote-wipe weapon

[Miravi]

Content source

https://www.theregister.com/2025/11/11/north_korean_spies_turn_googles/

North Korean state-backed spies have found a new way to torch evidence of their own cyber-spying – by hijacking Google's "Find Hub" service to remotely wipe Android phones belonging to their South Korean targets.

Researchers at South Korean cybersecurity firm Genians said the campaign, attributed to the long-running KONNI group, abused Google's device management features to trigger factory resets on compromised smartphones and tablets. In several cases, victims' devices were wiped without authorization, erasing messages, photos, and other data that could have revealed traces of the intrusion.

"The recently identified KONNI campaign is particularly notable for cases in which Google Android–based smartphones and tablet PCs in South Korea were remotely reset, resulting in the unauthorized deletion of personal data stored on the devices," Genians wrote in its analysis.

The KONNI group, linked for years to North Korea's intelligence apparatus, has a history of espionage operations aimed at Seoul's government, military, and think tank sectors. Its latest campaign marks an escalation in its mobile-focused tactics, showing that Pyongyang's cyber operators are increasingly adept at exploiting legitimate cloud services to hide their activity and control victims' devices.

According to Genians, the attackers used stolen Google account credentials harvested through spear-phishing or fake login pages to access victims' profiles on the Find My Device platform. The feature, which allows users to locate lost phones, lock them, or perform a factory reset, became an unwitting tool for sabotage. Once logged in, the hackers could trigger remote wipes, locking victims out of their own phones and destroying incriminating evidence of compromise.

North Korean spies used Google Find Hub as remote-wipe tool

: KONNI espionage crew covertly abused Google’s Find My Device feature to remotely factory-reset Android phones

www.theregister.com

 

[Victor M]

Thats why I have a Yubikey as 2FA for Google services.

Just had to use that Find Hub service yesterday. Phone with Oct 2025 update was hacked, Settings > System menu was gone so can't reset phone. Had to use Find Hub to remotely reset phone. It reset the phone and now I am on today's Nov 2025 update.

 

[Wrecker4923]

We should also note that The Register had questionable reporting; I quote:

Once logged in, the hackers could trigger remote wipes, locking victims out of their own phones and destroying incriminating evidence of compromise.
...
it also offers attackers an easy way to destroy evidence or cause disruption once account credentials are stolen.

while the source security company's report says no such thing. It states that the initial infection occurred on a Windows system, exfiltrating the credentials used to wipe the Android phone. The evidence of infection is more likely to be on the PC than on the phone.

If they had inferred that wiping the phone, which is often used for account authentications (SMS, TOTP, passkeys, apps, etc.), would lock some people out of their accounts and reduce their means of recovery (due to the required authentications), it would have been more actionable.

Note to myself:​

So you need to guard your Google (and platform) accounts very carefully. Apparently, existing session cookies will allow you to view the devices, although I’m not sure if you can reset it without additional authentication (I’m not brave enough to try clicking "Factory Reset"). If it does require additional authentication (like when changing security options), using passkeys and not keeping the password on your system would have prevented this remote wipe altogether. Having Google 2FA methods beyond what's on the phone is obviously desirable in this case.

Just remember that session cookies alone will likely grant hackers some access to your Google account, and if they have the password too, they will probably gain access to everything. The APP accounts may be treated differently.

For SMS 2FA, if you have to have it, you may want to have a backup phone for quick setup, or have also a secondary phone number, or other methods. TOTP 2FA often has recovery codes associated with them (not all of them). Straight app 2FA without alternatives might be problematic unless you can set it up on another phone/google account quickly.

Obviously, not falling for the initial social engineering would eliminate the need to think about the above.