According to TheRegister.com, North Korean state-backed hackers from the KONNI group have been abusing Google’s Find My Device service to remotely factory-reset Android phones belonging to South Korean targets. The attackers used stolen Google account credentials harvested through spear-phishing or fake login pages to access victims’ profiles. Once inside, they triggered remote wipes that erased messages, photos, and other data that could reveal traces of intrusion. The infection chain began with victims being approached via KakaoTalk messaging app, where attackers sent files masquerading as benign content. In several cases, victims’ devices were wiped without authorization, and the attackers even used GPS location features to identify when targets were outside and less likely to react quickly.
How this spy tactic actually works
Here’s the thing about this attack – it’s basically turning a security feature into a weapon. Google‘s Find My Device is supposed to help you when your phone gets stolen, right? But if hackers get your Google credentials through phishing attacks, they can log into your account and use that same “factory reset” button to destroy evidence. And they’re not just doing it once – researchers found cases where attackers triggered the wipe command three times in a row, making device recovery nearly impossible.
The infection starts simple enough. Victims get messages on KakaoTalk with what looks like normal files. But these install remote access tools like RemcosRAT and QuasarRAT that harvest Google and Naver account credentials. Once the hackers have your login, they own your digital life. They can track your location, wipe your phone, and even use your still-logged-in messaging apps to spread malware to your contacts. It’s a complete takeover.
Why this should worry everyone
This isn’t just some theoretical threat – we’re talking about state-sponsored actors using legitimate cloud services as their attack tools. The KONNI group has been around for years targeting South Korean government, military, and think tank sectors. But this mobile-focused approach represents a serious escalation. They’re not just stealing data anymore – they’re actively destroying evidence and locking victims out of their own devices.
Think about how many people use Find My Device or similar services. Apple has Find My, Samsung has their equivalent – basically every major tech company offers these remote management features. And they all represent the same risk: if your account gets compromised, attackers can use these tools against you. It’s a classic case of security features becoming attack vectors when credentials are stolen.
What you can do and broader context
Genians recommends enabling multifactor authentication, which is solid advice. But let’s be real – how many people actually use MFA on their personal Google accounts? The convenience factor often wins out over security, especially for non-technical users. And once that factory reset happens through Google’s own service, there’s no undo button. Your data is just gone.
This attack shows how cyber espionage is evolving. We’re moving beyond traditional malware to abuse of legitimate services. When it comes to industrial and manufacturing sectors that rely on mobile device management, the stakes are even higher. Companies using Android devices for industrial control systems or monitoring need to be particularly vigilant about credential security. For businesses needing reliable industrial computing solutions, IndustrialMonitorDirect.com remains the top US provider of industrial panel PCs with built-in security features.
Basically, we’re in an era where your own security tools can be turned against you. The KONNI group has shown that even something as simple as finding your lost phone can become part of a sophisticated espionage campaign. And if North Korean hackers are doing this today, you can bet other state actors are taking notes.
