1. Home
  2. Techniques
  3. Mobile
  4. Indicator Removal on Host
  5. File Deletion

Indicator Removal on Host: File Deletion

ID Name
T1630.001 Uninstall Malicious Application
T1630.002 File Deletion
T1630.003 Disguise Root/Jailbreak Indicators

Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location.[1]

Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.

ID: T1630.002
Sub-technique of:  T1630
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platforms: Android
Version: 1.1
Created: 30 March 2022
Last Modified: 20 March 2023
Version Permalink

Procedure Examples

ID Name Description
S0440 Agent Smith

Agent Smith deletes infected applications’ update packages when they are detected on the system, preventing updates.[2]
S0529 CarbonSteal

CarbonSteal has deleted call log entries coming from known C2 sources.[3]
S0505 Desert Scorpion

Desert Scorpion can delete copies of itself if additional APKs are downloaded to external storage.[4]
S0550 DoubleAgent

DoubleAgent has deleted or renamed specific files.[3]
S1080 Fakecalls

Fakecalls can manipulate a device’s call log, including deleting incoming calls.[5]
S0408 FlexiSpy

FlexiSpy can delete data from a compromised device.[6]
S0421 GolfSpy

GolfSpy can delete arbitrary files on the device.[7]
S0536 GPlayed

GPlayed can wipe the device.[8]
S1077 Hornbill

Hornbill can delete locally gathered files after uploading them to the C2 to avoid suspicion.[9]

S0485 Mandrake

Mandrake can delete all data from an infected device.[10]
S0407 Monokle

Monokle can delete arbitrary files on the device, and can also uninstall itself and clean up staging files.[11]
S0399 Pallas

Pallas has the ability to delete attacker-specified files from compromised devices.[12]
S0549 SilkBean

SilkBean can delete various piece of device data, such as contacts, call logs, applications, SMS messages, email, plugins, and files in external storage.[3]
S0558 Tiktok Pro

Tiktok Pro can delete attacker-specified files.[13]
S0418 ViceLeaker

ViceLeaker can delete arbitrary files from the device.[14]
S0489 WolfRAT

WolfRAT can delete files from the device.[15]

Mitigations

ID Mitigation Description
M1011 User Guidance

Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting Permissions Requests

Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.
DS0042 User Interface System Settings

The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing.

References

  1. Android Developers. (n.d.). DevicePolicyManager. Retrieved September 22, 2019.
  2. A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.
  3. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.
  4. A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.
  5. Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.
  6. Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.
  7. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.
  8. V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.
  1. Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.
  2. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.
  3. Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.
  4. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  5. S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.
  6. GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.
  7. W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.