A North Korean state-sponsored hacking group, known as Kimsuky or APT43, has been observed using custom Android malware to weaponize Google’s Find My Device service. According to research from cybersecurity firm Mandiant, the group uses the service not for recovery, but as a destructive tool to remotely wipe compromised devices after exfiltrating data.

The threat actors deploy a sophisticated Android malware named Plankwalk. This malware provides the attackers with extensive control over an infected device, enabling them to steal sensitive information and manage files remotely.

Plankwalk Malware’s Espionage Capabilities

Once installed on a target’s device, the Plankwalk malware grants its operators significant spying abilities. The malware is designed to exfiltrate a wide range of data, including contact lists, SMS messages, call logs, and specific device information such as its IMEI and phone number. It can also retrieve the device’s current location data. Beyond data theft, Plankwalk allows the Kimsuky operators to enumerate, download, and delete files stored on the Android device. The malware also includes functions to record audio and capture screenshots, adding to its surveillance toolkit. Communications with its command-and-control (C2) server are secured using AES encryption to evade detection.

Weaponizing Find My Device for Destruction

A key function of the Plankwalk malware is its ability to interact with Google’s Find My Device feature. After gaining access to the device, the malware steals the victim’s Google account credentials. These stolen credentials are then used by the attackers to programmatically access the Find My Device service associated with the account. By manipulating the service, the Kimsuky group can trigger the ‘erase device’ function, initiating a full factory reset. Mandiant researchers report that this destructive capability is used by the threat actor to destroy forensic evidence on the device after successfully stealing the desired information, effectively covering their tracks.