KONNI APT - Abuse of Google Find Hub to Remotely Wipe Android

KONNI, linked to North Korea’s Kimsuky/APT37, abused Google’s Find Hub to remotely wipe Android devices after stealing Google account credentials, mapping to T1566 (Phishing), T1110 (Credential Access), and T1490 (Inhibit System Recovery). Lures masqueraded as stress-relief programs distributed via KakaoTalk; an MSI installer executed an AutoIt loader, persisted via scheduled tasks, and fetched RATs (Remcos, QuasarRAT, RftRAT) for command execution (T1059, T1105). Once credentials were captured, actors tracked device locations and triggered remote resets to destroy evidence and delay detection. The operation leveraged compromised KakaoTalk accounts and valid-looking signatures to pass trust checks, then used the PC session to propagate further malicious files through trusted contacts. Persistence techniques included copying binaries to public folders, scheduled tasks, and multi-host C2 with rotation across regions (T1071). The wipe action minimized alerting by ensuring victims were away before initiating resets. Business impact is high for NGOs, activists, and diaspora groups targeted via trust relationships. Enterprise risk includes compromise of corporate Google accounts, potential data loss on BYOD endpoints, and account takeover of workspace assets. This combines social engineering with abuse of legitimate device-management features, complicating detection and response. Mitigations: enforce MFA on Google accounts, require verification for remote wipe actions, monitor for anomalous Find Hub activity, and restrict sideloaded installers. Deploy EDR with behavior rules for AutoIt loaders and MSI stagers, and train users about messenger-borne malware. Disable persistence via scheduled task auditing and integrity checks.