465/68 Friday, November 14, 2025
Security researchers at the Genians Security Center (GSC) have uncovered highly concerning findings, revealing that the KONNI hacking group – believed to be supported by North Korea and linked to Kimsuky (APT37) – has developed sophisticated attack techniques to spy on and wipe data from victims’ Android devices. The campaign primarily targets individuals in South Korea and abuses popular platforms such as the KakaoTalk messaging app and Google’s Find Hub (Find My Device) service to conduct espionage and destroy evidence.
The attack begins with spear-phishing, where threat actors impersonate trusted individuals – such as psychologists working with North Korean defectors or officers from the national tax agency – to lure victims into opening malicious files disguised as documents or forms. Once access is gained, attackers may remain hidden for over a year, silently monitoring victims and even controlling webcams. They then leverage victims’ logged-in KakaoTalk accounts to propagate malware, such as a file named “Stress Clear.zip”, to contacts. This trust-based attack significantly increases the likelihood of successful infection.
The final stage focuses on covering their tracks and severing communication. After stealing victims’ Google account credentials, the attackers abuse Google Find Hub by waiting until the victim is away from their device and then issuing a remote factory reset command on Android phones and tablets. This wipes all personal data and, crucially, does not trigger any notification to the victim, preventing them from detecting or responding to the attack in time.
GSC researchers advise users never to open unknown or suspicious files, even if they appear to come from someone familiar. They also strongly recommend enabling two-factor authentication (2FA) on Google accounts to prevent unauthorized access and limit the impact of such attacks.
Source https://hackread.com/hackers-kakaotalk-google-find-hub-android-spyware/
