Delete Device Data

An adversary could wipe the entire device contents or delete specific files. A malicious application could obtain and abuse Android device administrator access to wipe the entire device.[1] Access to external storage directories or escalated privileges could be used to delete individual files.

ID: T1447
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Impact
Platforms: Android
Version: 2.0
Created: 25 October 2017
Last Modified: 25 September 2019

Procedure Examples

Name Description
Agent Smith

Agent Smith deletes infected applications’ update packages when they are detected on the system, preventing updates.[7]


FlexiSpy can delete data from a compromised device.[2]


GolfSpy can delete arbitrary files on the device.[6]


Monokle can delete arbitrary files on the device, and can also uninstall itself and clean up staging files.[4]


Pallas has the ability to delete attacker-specified files from compromised devices.[3]


ViceLeaker can delete arbitrary files from the device.[5]


Mitigation Description
Caution with Device Administrator Access