KONNI Hackers Weaponize Google’s Find My Device to Remotely Wipe Android Phones

A North Korean–linked hacking campaign attributed to the KONNI cluster has executed a string of targeted attacks against Android devices in South Korea, uniquely exploiting the legitimate Google Find My Device service to remotely wipe victims’ phones.

Genians’ investigators determined that the adversaries first gained control of victims’ accounts — including Google and Naver credentials — then remotely triggered factory resets to erase personal data. This not only disrupted the victims’ devices but also obscured forensic traces, paving the way for subsequent dissemination of malicious archives via compromised KakaoTalk accounts.

The intrusion began with tailored phishing emails, purporting to be notices from the South Korean tax authority. Among the targets were counselors working with young North Korean defectors. Opening the attachment installed an executable masquerading as a stress-relief utility; once the host was compromised, the attackers abused KakaoTalk on desktop clients to propagate infected archives to the victims’ contacts.

A pivotal element of the infection chain was an MSI installer signed with a digital certificate from a Chinese firm. The package contained AutoIt scripts that performed the clandestine installation and activation of malicious components. One such script, IoKlTr.au3, ran on a schedule, granting remote control over the machine: exfiltrating files, capturing webcam images, and communicating with command servers located in Germany, Japan, and the Netherlands. Deceptive error dialogs were also used to confuse users and delay detection.

Beyond LilithRAT and RemcosRAT, the campaign employed multiple remote-access trojans — including QuasarRAT and RftRAT — whose payloads were AES-encrypted and injected into legitimate system processes to evade discovery. The operators leveraged compromised WordPress sites and hosting in the U.S. and Europe as transport infrastructure, and in several cases built multi-tiered proxy chains that complicated attribution and takedown efforts.

The attackers’ objectives encompassed both clandestine surveillance and targeted destruction. By abusing Find My Device, they could determine victims’ locations and, when devices were unattended, issue wipe commands. Repeated erasure operations impeded recovery and deprived users of access to critical alerts. Thereafter, malicious files distributed via KakaoTalk amplified the campaign’s reach.

Taken together, these actions reveal a resilient, stealthy infrastructure engineered for espionage and sabotage, reflecting a high degree of operational sophistication. Experts strongly advise bolstering account defenses with multi-factor authentication, rigorously scanning files received over messaging platforms, using cameras with activity indicators, and deploying behavioral EDR solutions to detect and block such threats at the earliest stages.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy