Affiliate links on Android Authority may earn us a commission. Learn more.
Hackers are abusing Find Hub to track and wipe Android devices
November 11, 2025
- North Korean hackers have apparently used Google’s Find Hub to remotely track and wipe victims’ devices.
- A cybersecurity firm said the hackers initially compromised devices by sending malicious files via KakaoTalk.
- It’s recommended that you enable two-factor authentication on your Google account and regularly change your password.
It’s not uncommon for hackers to turn your favorite apps and services against you, and it turns out cybercriminals are abusing Google Find Hub to remotely track and wipe victims’ Android phones and tablets.
Security firm Genians (h/t: Bleeping Computer) reports that North Korean state-backed hackers were compromising victims’ Android devices by using malicious files sent via the KakaoTalk chat app. The malicious scripts would then lie dormant on a user’s device, while also installing additional scripts to monitor and control the system. This way, the cybercriminals are able to harvest credentials for a variety of accounts and services.
Don’t want to miss the best from Android Authority?
- Set us as a favorite source in Google Discover to never miss our latest exclusive reports, expert analysis, and much more.
- You can also set us as a preferred source in Google Search by clicking the button below.
The hackers were indeed able to use Google credentials harvested in this manner to gain access to the Find Hub tracking suite. From here, they remotely tracked victims’ locations and repeatedly reset their Android devices.
“While Find Hub is intended to safeguard Android devices, this is the first confirmed case in which a state-sponsored threat actor obtained remote control by compromising Google accounts, then used the service to perform location tracking and remote wipe,” Genians explained.
In addition to compromising Find Hub, Genians reports that the attackers were also able to surveil victims via their webcam. This meant attackers could wait until users stepped away from their devices before remotely controlling the system.
In any event, the security company urged users to regularly change their Google account passwords and enable two-factor authentication. It also urged the implementation of a “security procedure that clearly verifies whether the remote wipe request has been made by the legitimate device owner before execution.” This could take the form of multi-factor authentication, including biometric verification or PIN entry.
Google has issued a statement to Android Authority on the matter, rightfully pointing out that this wasn’t a Google flaw:
This attack did not exploit any security flaw in Android or Find Hub. The report indicates this targeted attack required PC malware to be present in order to steal Google account credentials and abuse legitimate functions in Find Hub. We strongly urge all users to enable two-step verification or passkeys for comprehensive protection against credential theft.
The company also noted that high-visibility users or those at risk of targeted attacks could enrol in the firm’s Advanced Protection Program for improved protection.
Thank you for being part of our community. Read our Comment Policy before posting.