Researchers at South Korean cybersecurity firm Genians said a campaign attributed to the long-running KONNI group abused Google device management features to remotely trigger factory resets on Android smartphones and tablets used by targets in South Korea, erasing messages, photos and other data.
Genians described KONNI as a group long linked to North Korean intelligence and said its latest operations represent an escalation in mobile-focused tactics, with operators increasingly exploiting legitimate cloud services to control devices and hide traces of intrusion.
According to the researchers, attackers obtained Google account credentials through spear-phishing and fake login pages, then used those credentials to access the Find My Device platform. That service, intended to help users locate or lock lost phones, can also perform a factory reset, which the adversary used to wipe compromised devices without authorization.
The infection chain reportedly began with messages sent over the KakaoTalk messaging app. Victims were lured into installing signed MSI attachments or ZIP files that deployed AutoIT scripts and remote-access tools such as RemcosRAT, QuasarRAT and RftRAT, which were used to harvest Google and Naver account credentials and other data needed to manipulate cloud services.
Genians said the attackers also exploited victims’ still-logged-in KakaoTalk desktop apps to send malware-laden files to the victims’ contacts, turning compromised accounts into secondary infection vectors that allowed rapid spread before targets could recover access to wiped devices. The researchers added that attackers used Find My Device’s GPS location to choose moments when targets were away from their phones and, in at least one case, executed the wipe command multiple times to delay recovery.
Genians recommended enabling multifactor or biometric authentication on device-locating and management tools. The researchers warned that a factory reset triggered through a cloud service cannot be reversed, leaving victims with erased devices and lost evidence of compromise.