Correlates (1) application access to or staging of local files likely to be of operational, evidentiary, or user value, (2) deletion of those files or wipe-like destructive actions through ordinary storage access, administrative controls, or privileged/rooted paths, and (3) continued app or device activity after deletion, including cleanup, concealment, or outbound transfer. The defender observes a causal chain where files are first accessed or prepared, then removed, and device-side behavior continues after evidence or data is gone.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | android:MDMLog | application holds device administrator, device owner, or other managed authority capable of wipe or destructive device-level action before bulk file loss or wipe event |
| android:MDMLog | device posture indicates rooted, compromised, or non-compliant state before protected or atypical filesystem deletion activity | |
| File Deletion (DC0040) | MobileEDR:telemetry | application deletes, truncates, or removes user, operational, or evidence-bearing files after prior access or staging and before later continued execution or communication |
| OS API Execution (DC0021) | MobileEDR:telemetry | application invokes file-management, package, storage, or administrative wipe operations immediately before loss of expected local files or file collections |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between file access or staging, deletion event, and subsequent activity |
| FileScopeSet | File paths, storage scopes, and data classes monitored for suspicious deletion, such as documents, databases, media, email stores, or update artifacts |
| DeletionVolumeThreshold | Threshold for number, size, or concentration of deleted files required before escalation |
| AllowedCleanupApps | Legitimate applications expected to rotate, purge, or clean up files in the environment |
| ProtectedRoleSet | Administrative or rooted control paths that materially increase destructive file deletion capability |
| UplinkBytesThreshold | Outbound traffic threshold used to distinguish exfiltration-linked cleanup from benign maintenance activity |