Delete Device Data

Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. [1]

Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.

ID: T1447
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactics: Impact, Defense Evasion
Platforms: Android
Version: 2.1
Created: 25 October 2017
Last Modified: 01 October 2020

Procedure Examples

Name Description
Agent Smith

Agent Smith deletes infected applications’ update packages when they are detected on the system, preventing updates.[2]

Desert Scorpion

Desert Scorpion can delete copies of itself if additional APKs are downloaded to external storage.[3]

FlexiSpy

FlexiSpy can delete data from a compromised device.[4]

GolfSpy

GolfSpy can delete arbitrary files on the device.[5]

Mandrake

Mandrake can delete all data from an infected device.[6]

Monokle

Monokle can delete arbitrary files on the device, and can also uninstall itself and clean up staging files.[7]

Pallas

Pallas has the ability to delete attacker-specified files from compromised devices.[8]

ViceLeaker

ViceLeaker can delete arbitrary files from the device.[9]

WolfRAT

WolfRAT can delete files from the device.[10]

Mitigations

Mitigation Description
Application Vetting

Application vetting services could be extra scrutinous of applications that request device administrator permissions.

Caution with Device Administrator Access

There are very limited circumstances under which device administrator access should be granted.

User Guidance

Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups.

Detection

Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing.

References