APT37: North Korean Hackers Weaponize Google Find Hub for Android Data-Wiping Attacks (2024)
Executive Summary
In early 2024, North Korean threat group APT37 (also known as KONNI) leveraged Google’s Find My Device Hub functionality to remotely track, lock, and factory reset Android devices belonging to targeted individuals. The attack chain involved initial compromise of Android devices via malicious apps or phishing, after which the threat actors abused legitimate Google mobile device management tools to erase and destroy data on compromised endpoints. As a result, affected organizations and individuals suffered total loss of sensitive information and operational disruption, with a clear intent by attackers to destroy evidence and hinder forensic investigations.
This incident highlights the growing sophistication of APTs in subverting trusted platform features for destructive ends, signaling elevated risk for organizations relying on mobile endpoints, especially in regions or sectors of geopolitical interest. The trend reveals a shift toward wiper operations and supply chain risks in the mobile ecosystem.
Why This Matters Now
This case underscores an urgent threat: malicious actors are increasingly subverting built-in device management tools to inflict data loss, bypassing traditional security controls. Mobile device fleets, especially in government and enterprise, are at heightened risk as attackers leverage legitimate remote management and cloud-based APIs for wide-scale destruction and espionage.
Attack Path Analysis
APT37 initially compromised Android devices by abusing Google Find Hub, likely phishing users or exploiting credential weaknesses. After gaining access, attackers obtained control permissions to manipulate device settings or accounts. They did not require significant lateral movement, focusing on managing the infected device directly. Through established remote access and C2 channels, they issued commands for GPS tracking or factory reset. While direct exfiltration is not confirmed, GPS or device data could have been transmitted prior to reset. The attack culminated in a remote-triggered factory reset, destroying data and disrupting device availability.
Kill Chain Progression
Initial Compromise
Description
Attackers leveraged either social engineering or stolen credentials to access Google accounts linked to Android devices, enabling the abuse of Google Find Hub functionalities.
Related CVEs
CVE-2022-41128
CVSS 8.8A type confusion vulnerability in the JScript9 scripting engine allows remote attackers to execute arbitrary code via a crafted HTML page.
Affected Products:
Microsoft Windows – Windows 7, Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022
Exploit Status:
exploited in the wildCVE-2024-38178
CVSS 7.5A memory corruption vulnerability in the Windows Scripting Engine allows remote attackers to execute arbitrary code via a crafted web page.
Affected Products:
Microsoft Windows – Windows 7, Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022
Exploit Status:
exploited in the wildCVE-2018-4878
CVSS 9.8A use-after-free vulnerability in Adobe Flash Player allows remote attackers to execute arbitrary code via crafted SWF content.
Affected Products:
Adobe Flash Player – 29.0.0.113 and earlier
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Endpoint Denial of Service
System Shutdown/Reboot
Data Manipulation: Stored Data Manipulation
User Execution: Malicious Link
Valid Accounts
Data Destruction
Location Tracking
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Incident Response Plan
Control ID: 12.10.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (EU Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 10
NIS2 Directive – Cybersecurity Risk Management and Reporting
Control ID: Article 21
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Device Security Monitoring and Control
Control ID: Device Pillar - Protection
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Critical exposure to APT37 Android data-wiping attacks targeting government officials through GPS tracking and remote factory resets via compromised devices.
Defense/Space
High-value targets for North Korean KONNI cluster seeking sensitive defense data through Google Find Hub exploitation and Android device compromise.
Financial Services
Mobile banking and financial applications vulnerable to data destruction attacks requiring enhanced east-west traffic security and threat detection capabilities.
Health Care / Life Sciences
Patient data and medical devices at risk from GPS tracking exploitation, requiring HIPAA compliance controls and encrypted traffic protection.
Sources
- APT37 hackers abuse Google Find Hub in Android data-wiping attackshttps://www.bleepingcomputer.com/news/security/apt37-hackers-abuse-google-find-hub-in-android-data-wiping-attacks/Verified
- Internet Explorer 0-day exploited by North Korean actor APT37https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/Verified
- Weekly Intelligence Report – 05 September 2025https://www.cyfirma.com/news/weekly-intelligence-report-05-september-2025/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, strong policy enforcement, egress controls, and threat detection capabilities could have limited the attacker's ability to escalate, pivot, and execute destructive remote commands. CNSF-aligned controls restrict illegitimate use of trusted management channels and help detect anomalous command patterns.
Control: Threat Detection & Anomaly Response
Mitigation: Detection of anomalous authentication or access patterns to management interfaces.
Control: Zero Trust Segmentation
Mitigation: Restriction of unauthorized management actions based on least privilege and policy.
Control: East-West Traffic Security
Mitigation: Limits on internal device-to-device and admin control communications.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Policy-based inspection and blocking of abnormal management commands.
Control: Egress Security & Policy Enforcement
Mitigation: Detection and restriction of suspicious outbound data transfers to unauthorized locations.
Rapid detection of mass-device reset issuance or destructive actions.
Impact at a Glance
Affected Business Functions
- Mobile Device Management
- User Account Security
- Data Integrity
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive personal and organizational data due to unauthorized access and remote wiping of Android devices.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust segmentation and role-based policy to tightly control management access to cloud device services.
- • Deploy threat detection and anomaly response to monitor for unauthorized or abnormal usage of device management APIs.
- • Apply egress security controls to detect and restrict suspicious outbound flows, including telemetry and sensitive data.
- • Enforce east-west traffic controls to prevent lateral movement from initially compromised accounts to additional devices or services.
- • Regularly audit and baseline administrative activity to identify abuse of remote wipe or tracking features.
