The KONNI advanced persistent threat (APT) group has developed a novel Android attack vector exploiting Google's Find Hub feature, which is designed for device location and management, to perform remote data wipes on compromised devices. The attack chain begins with social engineering tactics, where attackers impersonate trusted figures such as psychological counselors and human rights activists to lure victims into installing malware disguised as stress-relief applications distributed via the KakaoTalk messenger platform. Once installed, the malware facilitates the compromise of victims' Google accounts, granting attackers the ability to track device locations and remotely wipe data, effectively causing denial of access and potential data loss. The campaign is characterized by spear-phishing and prolonged reconnaissance phases, indicating targeted victim selection and careful planning. Multiple RAT variants including RemcosRAT, QuasarRAT, and RftRAT are utilized to maintain persistence, execute commands, and exfiltrate data. The attackers employ WordPress-based infrastructure for hosting malicious payloads and use geographically distributed command-and-control servers to avoid detection and takedown efforts. The abuse of legitimate device management features, combined with sophisticated social engineering and multi-stage malware deployment, demonstrates an evolution in state-sponsored Android attack methodologies. Indicators of compromise include specific IP addresses, domain names, and file hashes linked to the campaign. Despite the absence of a CVSS score, the attack's complexity and potential for significant data loss warrant serious attention.

European organizations face significant risks from this campaign, particularly those with employees or stakeholders using Android devices integrated with Google accounts. The ability of attackers to remotely wipe devices threatens data availability and operational continuity, potentially causing loss of critical business information and disruption of services. Compromise of Google accounts also endangers confidentiality and privacy, exposing sensitive location data and personal information. The use of social engineering targeting psychological counselors and human rights activists suggests a focus on high-value or sensitive targets, which may include NGOs, media, and governmental entities in Europe. The campaign's stealthy infrastructure and multi-RAT deployment complicate detection and response efforts, increasing the likelihood of prolonged compromise. Additionally, organizations relying on KakaoTalk or similar messaging platforms for communication may be more vulnerable. The attack could lead to reputational damage, regulatory penalties under GDPR for data breaches or loss, and financial costs associated with incident response and recovery.

European organizations should implement targeted defenses beyond generic controls. First, enforce multi-factor authentication (MFA) on all Google accounts to reduce the risk of account compromise. Conduct focused user awareness training emphasizing the risks of social engineering, especially impersonation tactics involving trusted figures and messaging apps like KakaoTalk. Deploy mobile threat defense solutions capable of detecting and blocking malicious Android applications and RAT activity. Monitor Google account activity for unusual login patterns and unauthorized device management commands, leveraging Google Workspace security tools where applicable. Restrict or monitor the use of device management features such as Find Hub to authorized personnel only. Implement network-level detection for known indicators of compromise including the listed IP addresses and domains associated with the campaign. Regularly update and patch Android devices and associated apps to minimize exploitation vectors. Establish incident response playbooks specifically addressing remote wipe scenarios to enable rapid containment and recovery. Collaborate with threat intelligence providers to stay informed about evolving tactics and indicators related to KONNI and similar APT groups.