A sophisticated remote data-wipe attack targeting Android devices has emerged, exploiting Google’s Find Hub service to execute destructive operations on smartphones and tablets across South Korea.
This campaign represents the first documented case where state-sponsored threat actors weaponized a legitimate device protection service to remotely erase user data and disrupt normal device operations.
The malware, distributed through trusted messaging platforms, demonstrates an evolution in attack sophistication by combining social engineering, persistent backdoors, and abuse of built-in security features.
The attack begins with malicious files disguised as stress-relief programs distributed via KakaoTalk messenger.
Victims receive a ZIP archive named “Stress Clear.zip” containing a Microsoft Installer (MSI) package that executes silently in the background while displaying fake error messages about language pack compatibility.
Once installed, the malware establishes persistence through AutoIt scripts registered in Windows Task Scheduler and maintains command-and-control communication with servers located in Germany, specifically at 116.202.99.218 and the domain bp-analytics.de.
Genians security researchers identified this campaign as part of the KONNI APT operation, linked to North Korean state-sponsored groups Kimsuky and APT37, both operating under the 63 Research Center.
The initial compromise occurred on September 5, 2025, when threat actors hijacked the KakaoTalk account of a South Korean psychological counselor specializing in support for North Korean defector youth.
.webp "Android Remote Data-Wipe Malware Attacking Users Leveraging Google’s Find Hub 3")
The attackers leveraged this trusted relationship to distribute malicious files to the counselor’s contacts, turning victims into unwitting distribution channels for further propagation.
Following system compromise, the malware deploys multiple remote access trojans including RemcosRAT 7.0.4 Pro, QuasarRAT, and RftRAT.
These payloads enable comprehensive system surveillance through webcam monitoring, keystroke logging, and credential harvesting.
The threat actors specifically targeted Google account credentials to gain unauthorized access to Find Hub, Google’s device management service designed to locate and protect lost or stolen Android devices.
Once credentials were obtained, attackers executed remote factory reset commands on victims’ smartphones and tablets, permanently deleting personal data and rendering devices temporarily unusable.
Infection Mechanism and Persistence Tactics
The infection chain initiates when users execute the “Stress Clear.msi” file, which carries a fraudulent digital signature issued to “Chengdu Hechenyingjia Mining Partnership Enterprise” in China.
This code-signing abuse provides an appearance of legitimacy that bypasses initial security checks.
During installation, the MSI package invokes an embedded batch script “install.bat” that copies AutoIt3.exe and the malicious script “loKITr.au3” to the public Music folder at C:UsersPublicMusic.
The install.bat script creates a scheduled task using a renamed copy of schtasks.exe called “hwpviewer.exe” to masquerade as a legitimate document viewer.
This task executes the AutoIt script every minute, ensuring persistent malware execution even after system restarts. The script then deletes the original installation files to eliminate forensic traces.
Meanwhile, error.vbs displays a deceptive Korean-language error message claiming incompatibility between system and program language packs, convincing users that installation failed when malicious operations are actually completing successfully.
.webp "Android Remote Data-Wipe Malware Attacking Users Leveraging Google’s Find Hub 4")
The AutoIt script loKITr.au3 functions as the primary backdoor component, establishing encrypted connections to command-and-control infrastructure and downloading additional malicious modules.
Analysis revealed the script uses the mutex identifier “GlobalAB732E15-D8DD-87A1-7464-CE6698819E701” to prevent duplicate execution and registers a startup shortcut named “Smart_Web.Ink” for automatic launch during system boot.
The malware conceals its true functionality through obfuscation techniques including unnecessary code insertion and encoding of critical strings.
Once established, the backdoor enables comprehensive system monitoring and remote control capabilities.
Threat actors activate webcams and microphones to surveil victims’ physical environments, identifying periods of absence to conduct operations undetected.
The malware exfiltrates sensitive data, including credentials for Google and Naver accounts, which become the gateway for executing the most destructive aspect of the attack.
After confirming through Find Hub location queries that victims are away from their devices, attackers issue remote factory reset commands to Android smartphones and tablets, deleting all stored data and disrupting communication channels.
This coordinated approach of surveillance, credential theft, and destructive actions demonstrates tactical maturity rarely observed in APT operations targeting mobile platforms.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
